Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Traceroute

Hello,

I am trying to allow FWSMs and PIXs to appear in traceroutes.  It works on an ASA pair that I manage, but I have no luck with the FWSMs and the PIXs.

The only command that the ASAs have that the other firewalls don't is "set connection decrement-ttl".

All of the interface's ACLs have "icmp any any echo-reply", "icmp any any time-exceeded ", and "icmp any any unreachable".

Also "icmp permit any interface name" is configured for all interfaces.

The only difference is there is no option for "set connection decrement-ttl" on the FWSM/PIXs in their global policy-maps.

FWSM Firewall Version 4.0(12) and  Cisco PIX Security Appliance Software Version 7.0(7)

I have been using http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml#trace as a guide.

Thanks,

Any help would be much appreciated.

3 REPLIES
Cisco Employee

Re: Traceroute

Hi Stuart,

Can you paste the config and tell me what is the model of the Pix firewall?

Cheers

Mike

Mike
New Member

Re: Traceroute

I can't post the config, but I have all the relevant parts of the config in the previous post.

The PIXs are 535s and the FWSMs are WS-SVC-FWM-1s.

Cisco Employee

Re: Traceroute

The firewall will not respond how in traceroutes unless you have the decrement-ttl option.

The ASA can do that, but you can't fix it with the PIX/FWSM because they will not decrement the ttl and thus will "hide" from the traceroute.

I hope it is clear.

PK

579
Views
0
Helpful
3
Replies