Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
631
Views
0
Helpful
4
Replies

Cannot Perform Tracert From Behind PIX 515E ver. 7.0

Devildoc007
Level 4
Level 4

‎05-25-2006 07:52 AM - edited ‎02-21-2020 12:55 AM

Can someone help me with this problem that i am having with Windows desktops not being able to perform a tracert to an IP address outside of the company's network?

From behind the PIX 515E ver 7.0, i could successfully perform a traceroute on any router and switch to an external IP address. However, i could not perform a tracert from any Windows desktop to an external IP address. All i get is answer from the first hop (which is the default gateway) and the last hop (which is the destination IP address). All hops in between have *. Pinging is working properly from the desktops.

The PIX has rules that allow ICMP echo, echo reply, unreachable, time-exceeded and source-quench for any source and destination.

So how is it that the routers and switches could perform a traceroute successfully but Windows desktops could not perform the tracert? Any help is greatly appreaciated. Thanks.

JD

0 Helpful
4 Replies 4

dominic.caron
Level 5
Level 5

‎05-25-2006 09:06 AM

Cisco router, like linux, use UDP traceroute, not icmp.

As for your problem, you have permitted every type of icmp windows need. You are receiving a reply from the end host, this tell us the echo,echoreply are ok. The problem seem to be with the time-exeeded. Turn the syslog level on the pix to debug and see why the packet is getting dropped.

0 Helpful

Devildoc007
Level 4
Level 4
In response to dominic.caron

‎05-25-2006 05:21 PM

Thanks for the info. However, if Cisco router uses UDP traceroute, then how come i see ICMP type 11 in the PIX when i performed a debug icmp trace? Not only that, my inbound access list does not allow UDP.

In addition, when I tried a utility that i downloaded from the Internet that gives me an option to perform UDP traceroute from Windows desktops, it did not go through either. I monitored the debug icmp trace and did not see the trace in the PIX, so i guessed the utility did perform the UDP traceroute.

Regardless, i'll turn on the syslog level to debug and see why the packets are getting dropped. Is there a way to display the syslog messages on the telnet session? Or do i have to configure the PIX to send the syslog messages to a syslog server for analysis?

JD

0 Helpful

a.kiprawih
Level 7
Level 7

‎05-25-2006 07:01 PM

Hi,

Add/allow Echo Request (ICMP type 8)

Packet types 0, 8, and 11 are used for ICMP traceroute

Echo Request packets are sent out starting with a TTL packet of 1, and the TTL is incremented for each hop. The intermediate hops respond to the Echo Request packet with a Time Exceeded packet; the final destination responds with an Echo Reply packet.

http://www.cisco.com/en/US/partner/products/ps6350/products_configuration_guide_chapter09186a0080455b0d.html#wp1039035

Rgds,

AK

0 Helpful

Devildoc007
Level 4
Level 4
In response to a.kiprawih

‎05-26-2006 05:29 AM

i already have the ICMP echo and echo request message types allowed in to and out of the PIX.

jd

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card