05-03-2010 12:33 PM - edited 03-11-2019 10:40 AM
I'm currently running PIX 7.0.4.10 and preparing for an ASA conversion. In anticipation of the move I've been cleaning up the configs and decided to turn on ICMP &ICMP Error Inspection so I could get replace the "permit icmp any any" statement on my outside ACL with a more secure option.
However, traceroutes from Windows boxes now only show the first and last hops. I tried clearing the xlate, but still no go. If I add the permit statement back in it works. Isn't ICMP Error Inspection supposed to take care of this?
Am I missing something?
Thanks.
Solved! Go to Solution.
05-03-2010 01:42 PM
Hi,
If you are using PAT, then certainly you are hitting this bug. But I stated earlier, it is highly recommended to upgrade the code as 7.0 is very old code.
Ashu
05-03-2010 04:34 PM
Hi terrygwazdosky
In context to your first statement , i would like to tell you that Outbound traceroute requires access-list on the outside interface for time-exceeded and unreachable (for UDP Traceroute) as just enabling ICMP Inspection and ICMP Error inspection in the policy-map wont allow the return traffic from the Upstream / Intermediate hops .
05-03-2010 12:44 PM
Hi,
inspect icmp error should take care of the traceroute. However, if it does not work, we can try the following:
access-list external_access_in extended permit icmp any any unreachable
access-list external_access_in extended permit icmp any any time-exceeded
access-group external_access_in in interface outside
policy-map global_policy
class ttl
set connection decrement-ttl
class-map ttl
match any
Try after that and see if traceroute works. If it still fails, then please see if you are using PAT, if so, you might be running into this bug. CSCeg53811 Outbound traceroute not working with pat
On a sidenote, 7.o is pretty old code and upgrading to 7.2.4 won't be a bad option.
HTH
Ashu
05-03-2010 01:39 PM
When I try to access that bug ID I get: "Information contained within bug ID CSCeg53811 is only available to Cisco employees."
I am using PAT but I'm going to hold off on upgrading the PIX since I'll be going up to the ASA within a week or so. I'll try it again afterwards.
Thanks.
05-03-2010 01:42 PM
Hi,
If you are using PAT, then certainly you are hitting this bug. But I stated earlier, it is highly recommended to upgrade the code as 7.0 is very old code.
Ashu
05-03-2010 01:44 PM
The bug has to do with the embedded icmp packet in the icmp time exceeded not being overrid by the inspection.
You will have no issues with the ASA with newer code I bet.
I hope it helps.
PK
05-03-2010 01:49 PM
Thanks guys! I spent a few hours troubleshooting this... glad it wasn't just me.
05-03-2010 04:34 PM
Hi terrygwazdosky
In context to your first statement , i would like to tell you that Outbound traceroute requires access-list on the outside interface for time-exceeded and unreachable (for UDP Traceroute) as just enabling ICMP Inspection and ICMP Error inspection in the policy-map wont allow the return traffic from the Upstream / Intermediate hops .
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide