Solved: ICMP & ICMP Error Inspection

terrygwazdosky · ‎05-03-2010

I'm currently running PIX 7.0.4.10 and preparing for an ASA conversion. In anticipation of the move I've been cleaning up the configs and decided to turn on ICMP &ICMP Error Inspection so I could get replace the "permit icmp any any" statement on my outside ACL with a more secure option.

However, traceroutes from Windows boxes now only show the first and last hops. I tried clearing the xlate, but still no go. If I add the permit statement back in it works. Isn't ICMP Error Inspection supposed to take care of this?

Am I missing something?

Thanks.

astripat · ‎05-03-2010

Hi,

If you are using PAT, then certainly you are hitting this bug. But I stated earlier, it is highly recommended to upgrade the code as 7.0 is very old code.

Ashu

View solution in original post

ankurs2008 · ‎05-03-2010

Hi terrygwazdosky

In context to your first statement , i would like to tell you that Outbound traceroute requires access-list on the outside interface for time-exceeded and unreachable (for UDP Traceroute) as just enabling ICMP Inspection and ICMP Error inspection in the policy-map wont allow the return traffic from the Upstream / Intermediate hops .

View solution in original post

astripat · ‎05-03-2010

Hi,

inspect icmp error should take care of the traceroute. However, if it does not work, we can try the following:

access-list external_access_in extended permit icmp any any unreachable
access-list external_access_in extended permit icmp any any time-exceeded

access-group external_access_in in interface outside

policy-map global_policy
class ttl
set connection decrement-ttl
class-map ttl
match any

Try after that and see if traceroute works. If it still fails, then please see if you are using PAT, if so, you might be running into this bug. CSCeg53811 Outbound traceroute not working with pat

On a sidenote, 7.o is pretty old code and upgrading to 7.2.4 won't be a bad option.

HTH

Ashu

terrygwazdosky · ‎05-03-2010

When I try to access that bug ID I get: "Information contained within bug ID CSCeg53811 is only available to Cisco employees."

I am using PAT but I'm going to hold off on upgrading the PIX since I'll be going up to the ASA within a week or so. I'll try it again afterwards.

Thanks.

astripat · ‎05-03-2010

Hi,

If you are using PAT, then certainly you are hitting this bug. But I stated earlier, it is highly recommended to upgrade the code as 7.0 is very old code.

Ashu

Panos Kampanakis · ‎05-03-2010

The bug has to do with the embedded icmp packet in the icmp time exceeded not being overrid by the inspection.

You will have no issues with the ASA with newer code I bet.

I hope it helps.

PK

terrygwazdosky · ‎05-03-2010

Thanks guys! I spent a few hours troubleshooting this... glad it wasn't just me.

ankurs2008 · ‎05-03-2010

Hi terrygwazdosky

In context to your first statement , i would like to tell you that Outbound traceroute requires access-list on the outside interface for time-exceeded and unreachable (for UDP Traceroute) as just enabling ICMP Inspection and ICMP Error inspection in the policy-map wont allow the return traffic from the Upstream / Intermediate hops .