Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

ICMP & ICMP Error Inspection

I'm currently running PIX 7.0.4.10 and preparing for an ASA conversion.  In anticipation of the move I've been cleaning up the configs and decided to turn on ICMP &ICMP Error Inspection so I could get replace the "permit icmp any any" statement on my outside ACL with a more secure option.

However, traceroutes from Windows boxes now only show the first and last hops.  I tried clearing the xlate, but still no go.  If I add the permit statement back in it works.  Isn't ICMP Error Inspection supposed to take care of this?

Am I missing something?

Thanks.

Everyone's tags (2)
2 ACCEPTED SOLUTIONS

Accepted Solutions
Community Member

Re: ICMP & ICMP Error Inspection

Hi,

If you are using PAT, then certainly you are hitting this bug. But I stated earlier, it is highly recommended to upgrade the code as 7.0 is very old code.

Ashu

Community Member

Re: ICMP & ICMP Error Inspection

Hi terrygwazdosky

In context to your first statement , i would like to tell you that Outbound traceroute requires access-list on the outside interface for time-exceeded and unreachable (for UDP Traceroute) as just enabling ICMP Inspection and ICMP Error inspection in the policy-map wont allow the return traffic from the Upstream / Intermediate hops .

6 REPLIES
Community Member

Re: ICMP & ICMP Error Inspection

Hi,

inspect icmp error should take care of the traceroute. However, if it does not work, we can try the following:

access-list external_access_in extended permit icmp any any unreachable
access-list external_access_in extended permit icmp any any time-exceeded

access-group external_access_in in interface outside

policy-map global_policy
class ttl
  set connection decrement-ttl
class-map ttl
match any


Try after that and see if traceroute works. If it still fails, then please see if you are using PAT, if so, you might be running into this bug. CSCeg53811    Outbound traceroute not working with pat

On a sidenote, 7.o is pretty old code and upgrading to 7.2.4 won't be a bad option.

HTH

Ashu

Community Member

Re: ICMP & ICMP Error Inspection

When I try to access that bug ID I get: "Information contained within bug ID CSCeg53811 is  only available to Cisco employees."

I am using PAT but I'm going to hold off on upgrading the PIX since I'll be going up to the ASA within a week or so.  I'll try it again afterwards.

Thanks.

Community Member

Re: ICMP & ICMP Error Inspection

Hi,

If you are using PAT, then certainly you are hitting this bug. But I stated earlier, it is highly recommended to upgrade the code as 7.0 is very old code.

Ashu

Cisco Employee

Re: ICMP & ICMP Error Inspection

The bug has to do with the embedded icmp packet in the icmp time exceeded not being overrid by the inspection.

You will have no issues with the ASA with newer code I bet.

I hope it helps.

PK

Community Member

Re: ICMP & ICMP Error Inspection

Thanks guys!  I spent a few hours troubleshooting this... glad it wasn't just me. 

Community Member

Re: ICMP & ICMP Error Inspection

Hi terrygwazdosky

In context to your first statement , i would like to tell you that Outbound traceroute requires access-list on the outside interface for time-exceeded and unreachable (for UDP Traceroute) as just enabling ICMP Inspection and ICMP Error inspection in the policy-map wont allow the return traffic from the Upstream / Intermediate hops .

517
Views
0
Helpful
6
Replies
CreatePlease to create content