Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Allowing 'traceroute' through a PIX

This seems pretty juvenile, but how do I allow traceroute from the inside to the dmz. My access list has only the implict rule to allow all higher secured interfaces access to lower secured interfaces. So, all traffic from the inside is being allowed to the dmz. However, a traceroute is stopping at the firewall. Can someone please help???


Re: Allowing 'traceroute' through a PIX

It depends a bit on what kind of host is trying to traceroute, but take a look at this:

New Member

Re: Allowing 'traceroute' through a PIX

Apparently you have to be running V7.0


Re: Allowing 'traceroute' through a PIX


If you're using the implied rules to go from high to low security, then you need to define and access list to allow the icmp messages back in because they are not considered part of the same 'connection'. I'm assuming NAT is not involved.

access-list outside_in permit icmp any any unreachable

access-list outside_in permit icmp any any time-exceeded

access-list outside_in permit icmp any any echo-reply


Please rate this message if it solved some or all of your issue/question.

Cisco Employee

Re: Allowing 'traceroute' through a PIX

If you are running 7.x, please add the following commands to your PIX

policy-map global_policy

class inspection_default

inspect icmp error



inspect icmp error

To enable application inspection for ICMP error messages, use the inspect icmp error

command in class configuration mode. Class configuration mode is accessible from policy

map configuration mode.


This command is disabled by default.

Use the icmp error command to create xlates for intermediate hops that send ICMP error

messages, based on the static/NAT configuration. The security appliance overwrites the

packet with the translated IP addresses.

When enabled, the ICMP error inspection engine makes the following changes to the ICMP


? In the IP Header, the NAT IP is changed to the Client IP (Destination Address) and the

IP checksum is modified.

? In the ICMP Header, the ICMP checksum is modified due to the changes in the ICMP packet.

? In the Payload, the following changes are made:

- Original packet NAT IP is changed to the Client IP

- Original packet NAT port is changed to the Client Port

- Original packet IP checksum is recalculated

Hope it helps

Franco Zamora