Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
483
Views
0
Helpful
2
Replies

PIX 506 trace route not working normal

Go to solution
dstalls
Level 1
Level 1

‎03-17-2007 10:04 AM - edited ‎03-11-2019 02:48 AM

Hello,

Running a PIX 506 with 6.3.5 IOS

Current setup:

DSLmodem->PIX(via PPPoE)->Internal_Network

I thought I remember being able to perform a trace route from my internal clients to external IPs, but it is failing right now, except for the actual destination. here is what I mean by that:

C:\Windows\System32>tracert www.covad.net

Tracing route to www.covad.net [66.134.75.18]

over a maximum of 30 hops:

1 * * * Request timed out.

2 * * * Request timed out.

3 * * * Request timed out.

4 * * * Request timed out.

5 * * * Request timed out.

6 * * * Request timed out.

7 * * * Request timed out.

8 29 ms 28 ms 27 ms www.covad.com [66.134.75.18]

Trace complete.

This almost makes me believe its an ISP issue since I can ping any external IP fine. And since the final destination does give me data on the tracert, it seems like the PIX is functioning fine. However I am just unsure.

Is there a command I can use to do a trace route from the PIX's external interface? That way I can rule it out as the culprit. Or is there a setting on the pix to specifically allow trace routes to work seperate from PINGs (pings work fine)? I don't believe there is, but maybe I am wrong.

I do not have any ACL's applied against my internal interface. I do have the:

access-list outside_acl permit icmp any any echo-reply

command enable on the outside interface.

What am I missing? This issue is happening on all of my internal machines (a mix of XP, Vista, Server 2003...)

Thanks a lot

I really appreciate it.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
jmia
Level 7
Level 7

‎03-17-2007 10:43 AM

Damian,

Indeed some ISP's do hide their routes for security reasons. Try adding the following ACL's to your outside interface of your PIX and see if you are still observing the same response.

access-list outside_acl permit icmp any any echo-reply

access-list outside_acl permit icmp any any time-exceeded

access-list outside_acl permit icmp any any unreachable

access-group outside_acl in interface outside

Save with - write mem and also issue clear xlate.

Hope this helps and please rate posts!

- Jay

View solution in original post

0 Helpful
2 Replies 2

Go to solution
jmia
Level 7
Level 7

‎03-17-2007 10:43 AM

Damian,

Indeed some ISP's do hide their routes for security reasons. Try adding the following ACL's to your outside interface of your PIX and see if you are still observing the same response.

access-list outside_acl permit icmp any any echo-reply

access-list outside_acl permit icmp any any time-exceeded

access-list outside_acl permit icmp any any unreachable

access-group outside_acl in interface outside

Save with - write mem and also issue clear xlate.

Hope this helps and please rate posts!

- Jay

0 Helpful

Go to solution
dstalls
Level 1
Level 1
In response to jmia

‎03-17-2007 11:08 PM

That worked. Thank you very much,

I appreciate it.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card