- Posts: 153
- Thank you received: 0
Traceroute to pix advice wanted.
18 years 9 months ago #12991
by d_jabsd
Traceroute to pix advice wanted. was created by d_jabsd
Does anyone know how to allow a udp-based traceroute (*nix/IOS traceroutes) on the outside interface of a Pix?
ICMP based traces work fine.
I tried the following the ACL, but it had no affect.
access-list OUTSIDE_INBOUND_ACL line 5 permit udp any interface outside
i don't like using this acl for obvious reasons, but since not every one uses ICMP-based trace by default, I thought maybe it would work.
Thanks.
ICMP based traces work fine.
I tried the following the ACL, but it had no affect.
access-list OUTSIDE_INBOUND_ACL line 5 permit udp any interface outside
i don't like using this acl for obvious reasons, but since not every one uses ICMP-based trace by default, I thought maybe it would work.
Thanks.
18 years 9 months ago #13008
by Chris
Chris Partsenidis.
Founder & Editor-in-Chief
www.Firewall.cx
Replied by Chris on topic Re: Traceroute to pix advice wanted.
d_jabsd,
So you basically want to be able to allow others to use traceroute (udp) from the public to your pix outside interface; Is this correct?
Judging from your access list, I'm assuming you've got a dynamic public IP address; Please confirm this and provide us with your complete access list, or even configuration in case you have no static IP addresses and therefore don't risk exposing your network.
As a last note, can you let us know what pix model and OS version your running?
Cheers,
So you basically want to be able to allow others to use traceroute (udp) from the public to your pix outside interface; Is this correct?
Judging from your access list, I'm assuming you've got a dynamic public IP address; Please confirm this and provide us with your complete access list, or even configuration in case you have no static IP addresses and therefore don't risk exposing your network.
As a last note, can you let us know what pix model and OS version your running?
Cheers,
Chris Partsenidis.
Founder & Editor-in-Chief
www.Firewall.cx
18 years 9 months ago #13142
by d_jabsd
You are correct. I want to be able to trace from the public internet to the pix outside interface.
They all have static IPs. I use 'interface outside' for acl entries where the actual address doesn't matter much. In this case, I don't particularly care what the address is, as long as it responds.
I do know this method works, as I use it in other acls with no issue.
eg: the entire OUTSIDE_INBOUND_ACL-
access-list OUTSIDE_INBOUND_ACL line 1 remark Permit ICMP Responses
access-list OUTSIDE_INBOUND_ACL line 2 permit icmp any interface outside unreachable (hitcnt=11173)
access-list OUTSIDE_INBOUND_ACL line 3 permit icmp any interface outside time-exceeded (hitcnt=884)
access-list OUTSIDE_INBOUND_ACL line 4 permit icmp any interface outside echo-reply (hitcnt=4)
access-list OUTSIDE_INBOUND_ACL line 5 permit udp any interface outside (hitcnt=560)
I am using my personal pix 506e running 6.3(5) for testing. Once a working solution is found, it will be implemented on 2 pix 501s running 6.3(5) and a Active/Passive 515e pair running 6.3(3).
Thanks for you time and help with this.
Replied by d_jabsd on topic Re: Traceroute to pix advice wanted.
d_jabsd,
So you basically want to be able to allow others to use traceroute (udp) from the public to your pix outside interface; Is this correct?
Judging from your access list, I'm assuming you've got a dynamic public IP address; Please confirm this and provide us with your complete access list, or even configuration in case you have no static IP addresses and therefore don't risk exposing your network.
As a last note, can you let us know what pix model and OS version your running?
Cheers,
You are correct. I want to be able to trace from the public internet to the pix outside interface.
They all have static IPs. I use 'interface outside' for acl entries where the actual address doesn't matter much. In this case, I don't particularly care what the address is, as long as it responds.
I do know this method works, as I use it in other acls with no issue.
eg: the entire OUTSIDE_INBOUND_ACL-
access-list OUTSIDE_INBOUND_ACL line 1 remark Permit ICMP Responses
access-list OUTSIDE_INBOUND_ACL line 2 permit icmp any interface outside unreachable (hitcnt=11173)
access-list OUTSIDE_INBOUND_ACL line 3 permit icmp any interface outside time-exceeded (hitcnt=884)
access-list OUTSIDE_INBOUND_ACL line 4 permit icmp any interface outside echo-reply (hitcnt=4)
access-list OUTSIDE_INBOUND_ACL line 5 permit udp any interface outside (hitcnt=560)
I am using my personal pix 506e running 6.3(5) for testing. Once a working solution is found, it will be implemented on 2 pix 501s running 6.3(5) and a Active/Passive 515e pair running 6.3(3).
Thanks for you time and help with this.
Time to create page: 0.120 seconds