×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

configuring FWSM to reply from a tracert

Unanswered Question
Mar 27th, 2006
User Badges:

How do I get the fwsm or pix to reply with it's ttl? Ex. Linux server traces to any other network, default route on server is FWSM interface. That IP does not reply. I am having the same issue on my PIX devices. Can I turn this feature that hides the PIX off? Thank you in advance,

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (2 ratings)
Loading.
Patrick Iseli Mon, 03/27/2006 - 20:59
User Badges:
  • Gold, 750 points or more

Ping is not a stateful protocol. To allow pings from the inside to the outside interface you need to create an access-list. If you want to ping the same interface that you are physicly connected you need to configure the "icmp" command.


example:

See: Handling ICMP Pings with the PIX Firewall

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml


The PIX and the traceroute Command

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00800e9312.shtml


examples:


Traveroute


Microsoft:

access-list 101 permit icmp any host YourPublicIP unreachable

access-list 101 permit icmp any host YourPublicIP time-exceeded

access-list 101 permit icmp any host YourPublicIP echo-reply

access-group 101 in interface outside


UNIX:

access-list 101 permit icmp any host YourPublicIP unreachable

access-list 101 permit icmp any host YourPublicIP time-exceeded

access-group 101 in interface outside


ICMP command example:

icmp deny any outside

icmp permit any echo-reply outside

icmp permit any echo-reply inside

icmp permit host 192.168.1.x1 echo inside

icmp permit host 192.168.1.x2 echo inside

icmp permit host 192.168.1.20 echo inside

icmp permit host 192.168.1.40 echo inside

icmp permit host 192.168.1.100 echo inside


sincerely

Patrick

t.alfano Tue, 03/28/2006 - 15:31
User Badges:

Hey Patrick,


I really do appreciate you taking the time to respond. I was able to ping / trace through the fwsm, but I don't see it in a trace. Our Linux team is trying to configure "netdump" (a very low level tool to get off a type of "crashinfo" for Linux systems). It uses the ttl to determine the MAC of the nearest GW. Works on a router, not on a PIX or FWSM. You may have answered my question on the very first line by telling me that it isn't a stateful protocol, but is there any way to configure it to reply. Sorry for the lengthy reply, I am starting to think this is not a configurable option.

t.alfano Wed, 03/29/2006 - 08:51
User Badges:

Hey Patrick,

Thank you once again. I do have ICMP any any on all of the interfaces. None of my firewalls are actually showing the interface as a hop in the trace.

Thank you again for the effort. I would have suggested the same thing. Does this work on your PIX or fwsm(s)?

I am running 6.3(4),(5) on the PIX and FWSM Firewall Version 2.3(3).

Thanks again Patrick for your time, I suspect this is a "security feature" that can't be configured.

Actions

This Discussion