Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Allowing Tracer through PIX

Status
Not open for further replies.

gmail2

Programmer
Jun 15, 2005
987
IE
What do I need to configure on a PIX 506 to allow tracert to work? At the moment if I do a tracert to a public IP not even the inside interface replies. I presume I just need to allow port 512 past the inside interface for the public IP's to reply? But why doesn't the inside on reply? It replies when I ping it.
 
I'm not sure where you're getting port 512 from. But this will be o/s specific, depending what you're using to initiate the tracert (eg, windows uses only icmp, linux uses icmp and udp packets, as do different flavours of unix, but using different UDP ports)

The following link is a little outdated, but the basic theory is still relevant. Be sure to use ACLs rather than conduits.


Basically you need to allow icmp echo-replies and icmp-unreachables through the inbound acl applied to your outside interface, and whatever udp ports your client uses (if relevant).



CCSP, CCNA, CCSA, MCSE, Cisco Firewall specialist, VPN specialist, IDS specialist
 
Sorry, i meant icmp time-exceeded, not unreachables. Although you may also want to allow unreachables depending on your network design past the pix.

CCSP, CCNA, CCSA, MCSE, Cisco Firewall specialist, VPN specialist, IDS specialist
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top