Allow traceroute

[151569]

Hello

I need help for configuration, permit access from network internal for network external any host, for use tool traceroute, how make this ?

Thanks.

 

[brianinms]

Well it depends, what hardware do you have?

 

[151569]

I have PIX 515 ... you know ?

Thanks.

 

[haykatyck]

You could do something like this:

object-group icmp-type TRACEROUTE
icmp-object echo
icmp-object time-exceeded


access-list <ACL_name> permit icmp any <server_IP> 255.255.255.255 object-group TRACEROUTE

 

[Supergrrover]

You need to add

fixup protocol icmp error

Tracert sends packets with the TTL going from 1 upwards. when the router gets a packet that it kills from the TTL being 0 it replies with a new packet. The PIX/ASA won't allow that in unless you tell it to look for packets returning but sourced from the external device.


Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[haykatyck]

Thanks, Brent, I had forgotten that.

John
<lots of meaningless certifications here>