What do I need to configure on a PIX 506 to allow tracert to work? At the moment if I do a tracert to a public IP not even the inside interface replies. I presume I just need to allow port 512 past the inside interface for the public IP's to reply? But why doesn't the inside on reply? It replies when I ping it.
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Allowing Tracer through PIX
- Thread starter gmail2
- Start date
I'm not sure where you're getting port 512 from. But this will be o/s specific, depending what you're using to initiate the tracert (eg, windows uses only icmp, linux uses icmp and udp packets, as do different flavours of unix, but using different UDP ports)
The following link is a little outdated, but the basic theory is still relevant. Be sure to use ACLs rather than conduits.
Basically you need to allow icmp echo-replies and icmp-unreachables through the inbound acl applied to your outside interface, and whatever udp ports your client uses (if relevant).
CCSP, CCNA, CCSA, MCSE, Cisco Firewall specialist, VPN specialist, IDS specialist
The following link is a little outdated, but the basic theory is still relevant. Be sure to use ACLs rather than conduits.
Basically you need to allow icmp echo-replies and icmp-unreachables through the inbound acl applied to your outside interface, and whatever udp ports your client uses (if relevant).
CCSP, CCNA, CCSA, MCSE, Cisco Firewall specialist, VPN specialist, IDS specialist
- Status
Similar threads
- Locked
- Question
- Locked
- Question
- Locked
- Question