Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

PIX 506 trace route not working normal

Hello,

Running a PIX 506 with 6.3.5 IOS

Current setup:

DSLmodem->PIX(via PPPoE)->Internal_Network

I thought I remember being able to perform a trace route from my internal clients to external IPs, but it is failing right now, except for the actual destination. here is what I mean by that:

C:\Windows\System32>tracert www.covad.net

Tracing route to www.covad.net [66.134.75.18]

over a maximum of 30 hops:

1 * * * Request timed out.

2 * * * Request timed out.

3 * * * Request timed out.

4 * * * Request timed out.

5 * * * Request timed out.

6 * * * Request timed out.

7 * * * Request timed out.

8 29 ms 28 ms 27 ms www.covad.com [66.134.75.18]

Trace complete.

This almost makes me believe its an ISP issue since I can ping any external IP fine. And since the final destination does give me data on the tracert, it seems like the PIX is functioning fine. However I am just unsure.

Is there a command I can use to do a trace route from the PIX's external interface? That way I can rule it out as the culprit. Or is there a setting on the pix to specifically allow trace routes to work seperate from PINGs (pings work fine)? I don't believe there is, but maybe I am wrong.

I do not have any ACL's applied against my internal interface. I do have the:

access-list outside_acl permit icmp any any echo-reply

command enable on the outside interface.

What am I missing? This issue is happening on all of my internal machines (a mix of XP, Vista, Server 2003...)

Thanks a lot

I really appreciate it.

1 ACCEPTED SOLUTION

Accepted Solutions
Gold

Re: PIX 506 trace route not working normal

Damian,

Indeed some ISP's do hide their routes for security reasons. Try adding the following ACL's to your outside interface of your PIX and see if you are still observing the same response.

access-list outside_acl permit icmp any any echo-reply

access-list outside_acl permit icmp any any time-exceeded

access-list outside_acl permit icmp any any unreachable

access-group outside_acl in interface outside

Save with - write mem and also issue clear xlate.

Hope this helps and please rate posts!

- Jay

2 REPLIES
Gold

Re: PIX 506 trace route not working normal

Damian,

Indeed some ISP's do hide their routes for security reasons. Try adding the following ACL's to your outside interface of your PIX and see if you are still observing the same response.

access-list outside_acl permit icmp any any echo-reply

access-list outside_acl permit icmp any any time-exceeded

access-list outside_acl permit icmp any any unreachable

access-group outside_acl in interface outside

Save with - write mem and also issue clear xlate.

Hope this helps and please rate posts!

- Jay

New Member

Re: PIX 506 trace route not working normal

That worked. Thank you very much,

I appreciate it.

238
Views
0
Helpful
2
Replies
CreatePlease to create content