traceroute from the router with Zone Based Firewall

Unanswered Question
May 12th, 2009
User Badges:

Hi experts,

I've configured a Zone Based firewall on my 871 router with the latest IOS 12.4(24)T. My problem is that when i apply

zone-pair internet-self source internet destination self

i can't receive any traceroute responces from the router. When i make tracerotue from Windows PC behind the router, everything is ok. I checked on the net and i found that Cisco IOS is using UDP traceroute and Windows uses TCP tracert. That's why i have permited all icmp from outside to the router but still doesn't work.

I'm attaching part of my config. Please help!!!

Thanks in advance.

Best Regards.

Tihomir Yosifov

IT support

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Anonymous (not verified) Mon, 05/18/2009 - 10:47
User Badges:

If you are not able to successfully ping to an address it may be due to:

1)Routing issue

2) Interface Down

3)Access-list Command

4)Address Resolution Protocol (ARP) Issue


6)Correct Source Address

darkbeatzz Mon, 05/18/2009 - 23:38
User Badges:

first thing I would say about these zone based firewalls is stay a million miles away from them. they are horrible pieces of kit. Just get an asa 5505 instead.

secondly turn off inspect for icmp and that should resolve your issue

zenon_electronics Tue, 05/19/2009 - 00:42
User Badges:

Hi, I can do ping succesfull, but the problem is that the traceroute is not successfull. The traceroute in Cisco router is kind a differend then tracert from Windows mashine! I guess there is the problem.

Thanks .


This Discussion