Hot Downloads

Welcome, Guest
Username: Password: Remember me

TOPIC: Traceroute to pix advice wanted.

Traceroute to pix advice wanted. 10 years 10 months ago #12991

  • d_jabsd
  • d_jabsd's Avatar
  • Offline
  • Distinguished Member
  • Posts: 153
  • Karma: 0
Does anyone know how to allow a udp-based traceroute (*nix/IOS traceroutes) on the outside interface of a Pix?

ICMP based traces work fine.

I tried the following the ACL, but it had no affect.

access-list OUTSIDE_INBOUND_ACL line 5 permit udp any interface outside


i don't like using this acl for obvious reasons, but since not every one uses ICMP-based trace by default, I thought maybe it would work.

Thanks.
The administrator has disabled public write access.

Re: Traceroute to pix advice wanted. 10 years 10 months ago #13008

  • Chris
  • Chris's Avatar
  • Offline
  • Administrator
  • Posts: 1446
  • Thank you received: 13
  • Karma: 8
d_jabsd,

So you basically want to be able to allow others to use traceroute (udp) from the public to your pix outside interface; Is this correct?

Judging from your access list, I'm assuming you've got a dynamic public IP address; Please confirm this and provide us with your complete access list, or even configuration in case you have no static IP addresses and therefore don't risk exposing your network.

As a last note, can you let us know what pix model and OS version your running?

Cheers,
Chris Partsenidis.
Founder & Editor-in-Chief
www.Firewall.cx
The administrator has disabled public write access.

Re: Traceroute to pix advice wanted. 10 years 9 months ago #13142

  • d_jabsd
  • d_jabsd's Avatar
  • Offline
  • Distinguished Member
  • Posts: 153
  • Karma: 0
d_jabsd,

So you basically want to be able to allow others to use traceroute (udp) from the public to your pix outside interface; Is this correct?

Judging from your access list, I'm assuming you've got a dynamic public IP address; Please confirm this and provide us with your complete access list, or even configuration in case you have no static IP addresses and therefore don't risk exposing your network.

As a last note, can you let us know what pix model and OS version your running?

Cheers,

You are correct. I want to be able to trace from the public internet to the pix outside interface.

They all have static IPs. I use 'interface outside' for acl entries where the actual address doesn't matter much. In this case, I don't particularly care what the address is, as long as it responds.

I do know this method works, as I use it in other acls with no issue.
eg: the entire OUTSIDE_INBOUND_ACL-

access-list OUTSIDE_INBOUND_ACL line 1 remark Permit ICMP Responses
access-list OUTSIDE_INBOUND_ACL line 2 permit icmp any interface outside unreachable (hitcnt=11173)
access-list OUTSIDE_INBOUND_ACL line 3 permit icmp any interface outside time-exceeded (hitcnt=884)
access-list OUTSIDE_INBOUND_ACL line 4 permit icmp any interface outside echo-reply (hitcnt=4)
access-list OUTSIDE_INBOUND_ACL line 5 permit udp any interface outside (hitcnt=560)


I am using my personal pix 506e running 6.3(5) for testing. Once a working solution is found, it will be implemented on 2 pix 501s running 6.3(5) and a Active/Passive 515e pair running 6.3(3).

Thanks for you time and help with this.
The administrator has disabled public write access.
Time to create page: 0.076 seconds

CCENT/CCNA

Cisco Routers

  • SSL WebVPN
  • Securing Routers
  • Policy Based Routing
  • Router on-a-Stick

VPN Security

  • Understand DMVPN
  • GRE/IPSec Configuration
  • Site-to-Site IPSec VPN
  • IPSec Modes

Cisco Help

  • VPN Client Windows 8
  • VPN Client Windows 7
  • CCP Display Problem
  • Cisco Support App.

Windows 2012

  • New Features
  • Licensing
  • Hyper-V / VDI
  • Install Hyper-V

Linux

  • File Permissions
  • Webmin
  • Groups - Users
  • Samba Setup