03-17-2007 10:04 AM - edited 03-11-2019 02:48 AM
Hello,
Running a PIX 506 with 6.3.5 IOS
Current setup:
DSLmodem->PIX(via PPPoE)->Internal_Network
I thought I remember being able to perform a trace route from my internal clients to external IPs, but it is failing right now, except for the actual destination. here is what I mean by that:
C:\Windows\System32>tracert www.covad.net
Tracing route to www.covad.net [66.134.75.18]
over a maximum of 30 hops:
1 * * * Request timed out.
2 * * * Request timed out.
3 * * * Request timed out.
4 * * * Request timed out.
5 * * * Request timed out.
6 * * * Request timed out.
7 * * * Request timed out.
8 29 ms 28 ms 27 ms www.covad.com [66.134.75.18]
Trace complete.
This almost makes me believe its an ISP issue since I can ping any external IP fine. And since the final destination does give me data on the tracert, it seems like the PIX is functioning fine. However I am just unsure.
Is there a command I can use to do a trace route from the PIX's external interface? That way I can rule it out as the culprit. Or is there a setting on the pix to specifically allow trace routes to work seperate from PINGs (pings work fine)? I don't believe there is, but maybe I am wrong.
I do not have any ACL's applied against my internal interface. I do have the:
access-list outside_acl permit icmp any any echo-reply
command enable on the outside interface.
What am I missing? This issue is happening on all of my internal machines (a mix of XP, Vista, Server 2003...)
Thanks a lot
I really appreciate it.
Solved! Go to Solution.
03-17-2007 10:43 AM
Damian,
Indeed some ISP's do hide their routes for security reasons. Try adding the following ACL's to your outside interface of your PIX and see if you are still observing the same response.
access-list outside_acl permit icmp any any echo-reply
access-list outside_acl permit icmp any any time-exceeded
access-list outside_acl permit icmp any any unreachable
access-group outside_acl in interface outside
Save with - write mem and also issue clear xlate.
Hope this helps and please rate posts!
- Jay
03-17-2007 10:43 AM
Damian,
Indeed some ISP's do hide their routes for security reasons. Try adding the following ACL's to your outside interface of your PIX and see if you are still observing the same response.
access-list outside_acl permit icmp any any echo-reply
access-list outside_acl permit icmp any any time-exceeded
access-list outside_acl permit icmp any any unreachable
access-group outside_acl in interface outside
Save with - write mem and also issue clear xlate.
Hope this helps and please rate posts!
- Jay
03-17-2007 11:08 PM
That worked. Thank you very much,
I appreciate it.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: