cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
914
Views
4
Helpful
7
Replies

Linux doesnt ping or traceroutes my PIX 506e

soulmaris_79
Level 1
Level 1

Hello,

I have a problem with PIX 506e, it is configured to allow ping and traceroute to the firewalls external address,(static address from an ISP) it works fine from a windows computer but a computer running linux does not traceroutes my PIX, it comes one step in front of my IP address but doesn't finishis on my static IP it displayes *** for 20 hops and finishis without reaching my IP. ping works just fine.I allowed traceroute, echo, time exceded and unreachable on ICMP

I even tried allowing any icmp packets from outside to inside and placing access rules to it and still no change. Is there something that Linux needs to do for traceroute that is different from windows computers?

7 Replies 7

noran01
Level 3
Level 3

The difference is that Unix/Linux `traceroute` uses UDP (User Datagram Protocol) packets to a random high port number, while Microsoft Windows uses ICMP (Internet Control Message Protocol) packets. You need to allow UDP packets in the destination port range of 33434 to 33600 to the PIX's outside address from your inside hosts.

Heloo

I need to allow that I can be tracerouted from any point on internet to my firewall's eksternal (static address).

Just add an ACL entry to your outside interface like so:

access-list permit udp any host range 33434 33600

Hello,

I made access list like this:

access-list outside_permit_in permit udp any host range 33434 33600

and still traceroute doesn't work from linux is there something that is related to the ACL like icmp roules or some other ACL with UDP permisions that I can use to solve this problem. MANY THANKS TO noran01@icansp.com FOR HIS VALUABLE ADVICES SO FAR!!!

no problem...thats what I'm here for. I was playing with this a little and also noticed my linux client is sending out icmp ttl messages for every hop. Try enabling ICMP directly to the outside firewall address as well. If it works, we can tighten it up.

Here is result of commands show access-list & show access-group. Can you figure it out? Is anything missing?

thanks

Result of firewall command: "show access-list"

access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 1024)

alert-interval 300

access-list inside_outbound_nat0_acl; 1 elements

access-list inside_outbound_nat0_acl line 1 permit ip any x.x.x.x x.x.x.x (hitcnt=0)

access-list outside_access_in; 10 elements

access-list outside_access_in line 1 permit udp host x.x.x.x host x.x.x.x range 33400 33600 (hitcnt=0)

access-list outside_access_in line 2 permit icmp host x.x.x.x host x.x.x.x echo-reply (hitcnt=0)

access-list outside_access_in line 3 permit udp host x.x.x.x object-group TCP-UDP host x.x.x.x object-group TCP-UDP

access-list outside_access_in line 3 permit udp host x.x.x.x eq echo host x.x.x.x eq echo (hitcnt=0)

access-list outside_access_in line 3 permit udp host x.x.x.x eq echo host x.x.x.x range 33400 33600 (hitcnt=0)

access-list outside_access_in line 3 permit udp host x.x.x.x range 33400 33600 host x.x.x.x eq echo (hitcnt=0)

access-list outside_access_in line 3 permit udp host x.x.x.x range 33400 33600 host x.x.x.x range 33400 33600 (hitcnt=0)

access-list outside_access_in line 4 permit udp host x.x.x.x host x.x.x.x (hitcnt=0)

access-list outside_access_in line 5 permit udp host x.x.x.x eq echo host x.x.x.x eq echo (hitcnt=0)

access-list outside_access_in line 6 permit tcp host x.x.x.x eq echo host x.x.x.x eq echo (hitcnt=0)

access-list outside_access_in line 7 permit icmp host x.x.x.x host x.x.x.x traceroute (hitcnt=0)

access-list inside_access_in; 7 elements

access-list inside_access_in line 1 permit icmp any any (hitcnt=136)

access-list inside_access_in line 2 permit icmp any any traceroute (hitcnt=0)

access-list inside_access_in line 3 permit tcp any any (hitcnt=89840)

access-list inside_access_in line 4 permit udp interface inside host x.x.x.x (hitcnt=0)

access-list inside_access_in line 5 permit tcp interface inside eq echo host x.x.x.x eq echo (hitcnt=0)

access-list inside_access_in line 6 permit udp interface inside eq echo host x.x.x.x eq echo (hitcnt=0)

access-list inside_access_in line 7 permit icmp interface inside host x.x.x.x traceroute (hitcnt=0)

Result of firewall command: "show access-group"

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

Hello,

I read so much of documentation on tracerout and ping that I stumbled upon an debate on one forum that said next: ......" A PIX or FWSM does not decrease the TTL of traffic passing through it, even, though it is a Layer3 device. Therefore, they NEVER show up in traceroutes.

Recently we discussed this behavior with the TAC. The TAC stated that this is

intended and they do not want to implement TTL decreasing in the (near) future"

.......If this is true: I can only use command: " traceroute -I " which in Linux generates ICMP Echo Reply instead of UDP's ICMP-port-unreachable. And this way this works. Do you have some comment on this issue?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: