Hi M8,

That was my initial configuration since I knew that this is the exact required configuration but sorrowfully it is not working.

I ended up in the following config and still not working:

access-list aclout permit icmp any any

access-list aclout permit ip any any

I stopped my IDS engine, stopped my IP spoofing mechanisms ... and still no hope ... really confused.

Thanks for the help anyway.

Salem.

can you please send your config minue sensitive information?

Here you go ...

Thanks in advance.

Salem.

Wow....I haven't seen the 7.0 configs yet...it looks alot more like IOS.

My guess is that your IDS policy is blocking ICMP. I have had this problem in the past. Try removing IDS policy from interface and try trace route:

no ip audit name MY-ATTACK attack action alarm drop

IF it works, you'll need to figure out which signature is blocking icmp and disable it.

ooops......wrong command:

to remove from interface.......

no ip audit interface outside MY-ATTACK

Your config look good.

Have you seen this icmp config guide ?

The PIX and the traceroute Command:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00800e9312.shtml

See: Handling ICMP Pings with the PIX Firewall

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml

Command reference:

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_command_reference_chapter09186a008045277d.html#wp1521845

Working example:

Traveroute

Microsoft:

access-group 101 in interface outside

access-list 101 permit icmp any host YourPublicIP unreachable

access-list 101 permit icmp any host YourPublicIP time-exceeded

access-list 101 permit icmp any host YourPublicIP echo-reply

sincerely

Patrick

Thanks for all of your efforts guys, but it looks like I found something ...

I did a quick RedHat installation using VMWare on my local machine and tracing worked from it ...

Now I'm more upset, all of the local machines here are Windows based and they are not working, and after wasting two days of working on the perimeter devices ... it's just the stupid MS OS ...

Linux is working fine now, but I don't know what's wrong with XP Pro ???

By the way, I already tried all the ideas that you suggested guys, read all documents related to ICMP on Cisco website .... but sorrowfully nothing worked ...

Thanks alot guys ... but I think I need to post this on some Anti-Microsoft forum ... ;-)

Salem.

I don't know if PIX OS 7.0 has the same issue, but it might be the problem source.

PIX Firewall earlier than version 6.3(2) block dns query responses if query comes from Server 2003 and the external DNS server supports EDNSO. Microsoft's workaround of disabling DNS-Probes did not solve the problem. Short of updating the IOS is there a way to change the DNS-UDP packet size limit that is currently set on PIX? . . or some other solution ?

In PIX OS 6.3, it is possible to change the maximum DNS packet length using "fixup protocol" command:

fixup protocol dns maximum-length

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_command_reference_chapter09186a00801727a8.html#wp1067379

Or disabling dns fixup altogether (no fixup protocol dns)

I don't think there is any workaround with OS 6.2 and earlier, since the "DNS Guard" feature is hard-coded with no knobs for tweaking.

These threads are related to the same issue:

http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Security&topic=Firewalling&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.1dd75208

http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Security&topic=Firewalling&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.1dd7c059

I had the same problem and resolved it back in November using this procedure. Make sure you do it on BDC also. Stop/Restart DNS service or reboot domain controllers.

For those customers using the Microsoft Windows 2003 Server's DNS

application, you must first install the dnscmd.exe command-line tool

from the Microsft Windows 2003 Server CD-ROM's Support Tools. Once

this is installed, open a DOS command prompt window and type:

dnscmd /config /enableednsprobes 0

This will turn off EDNS.

If at a future time the customer upgrades their firewall application

to support EDNS, running "dnscmd /config /enableednsprobes 1" will

turn EDNS back on.

sincerely

Patrick

Hi Salem

Since this was an interesting discussion, I just want to add to the discovery you made regarding trace route working from Linux but nor from Windows. This is due to the different implementation of traceroute in these 2 OS. Linux implements traceroute through UDP probe packets and Windows does it through icmp echo. That's the reason it was working on linux and not working on Windows

Thanks alot Mate,

You are a real star ... it's solved ...

Salem.