I have a problem with PIX 506e, it is configured to allow ping and traceroute to the firewalls external address,(static address from an ISP) it works fine from a windows computer but a computer running linux does not traceroutes my PIX, it comes one step in front of my IP address but doesn't finishis on my static IP it displayes *** for 20 hops and finishis without reaching my IP. ping works just fine.I allowed traceroute, echo, time exceded and unreachable on ICMP
I even tried allowing any icmp packets from outside to inside and placing access rules to it and still no change. Is there something that Linux needs to do for traceroute that is different from windows computers?
The difference is that Unix/Linux `traceroute` uses UDP (User Datagram Protocol) packets to a random high port number, while Microsoft Windows uses ICMP (Internet Control Message Protocol) packets. You need to allow UDP packets in the destination port range of 33434 to 33600 to the PIX's outside address from your inside hosts.
access-list outside_permit_in permit udp any host range 33434 33600
and still traceroute doesn't work from linux is there something that is related to the ACL like icmp roules or some other ACL with UDP permisions that I can use to solve this problem. MANY THANKS TO firstname.lastname@example.org FOR HIS VALUABLE ADVICES SO FAR!!!
no problem...thats what I'm here for. I was playing with this a little and also noticed my linux client is sending out icmp ttl messages for every hop. Try enabling ICMP directly to the outside firewall address as well. If it works, we can tighten it up.
I read so much of documentation on tracerout and ping that I stumbled upon an debate on one forum that said next: ......" A PIX or FWSM does not decrease the TTL of traffic passing through it, even, though it is a Layer3 device. Therefore, they NEVER show up in traceroutes.
Recently we discussed this behavior with the TAC. The TAC stated that this is
intended and they do not want to implement TTL decreasing in the (near) future"
.......If this is true: I can only use command: " traceroute -I " which in Linux generates ICMP Echo Reply instead of UDP's ICMP-port-unreachable. And this way this works. Do you have some comment on this issue?
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...