[c-nsp] Traceroute over PIX ver7

Bagosi Rómeó Romeo.Bagosi at integris.hu
Mon Nov 6 10:43:31 EST 2006 

Hi all!

 

I have a problem with the traceroute output over PIX ver7. In the output there are duplicated items:

 

Tracing route to r1.abc-29.asd.asd [10.58.29.66]

over a maximum of 30 hops:

  1   131 ms    71 ms    74 ms  r1.abc-29.asd.asd [10.58.29.66]

  2   105 ms    71 ms    71 ms  r1.abc-29.asd.asd [10.58.29.66]

  3    89 ms    71 ms    72 ms  r1.abc-29.asd.asd [10.58.29.66]

  4    94 ms    71 ms    71 ms  r1.abc-29.asd.asd [10.58.29.66]

Trace complete.

 

Why is that? 

We have to solve this problem because we are monitoring devices with SNMP, and the managing software needs some information based on the traceroute.

In the path to that router there is a pix firewall, but the ICMP isn't denied on that. Here is the config of that PIX:

 

PIX Version 7.0(4)

!

 

names

!

interface Ethernet0

 nameif outside

 security-level 0

 ip address 10.240.11.1 255.255.255.0

!

interface Ethernet1

 nameif inside

 security-level 100

 ip address 172.31.255.253 255.255.255.0

!

interface Ethernet2

 nameif dmz

 security-level 50

 ip address 10.240.12.4 255.255.255.0

!

 

ftp mode passive

pager lines 24

mtu outside 1500

mtu inside 1500

mtu dmz 1500

asdm image flash:/asdm

no asdm history enable

arp timeout 14400

global (dmz) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,dmz) 10.58.0.0 10.58.0.0 netmask 255.255.0.0

static (inside,dmz) 10.59.0.0 10.59.0.0 netmask 255.255.0.0

static (inside,dmz) 172.31.0.0 172.31.0.0 netmask 255.255.0.0

static (inside,dmz) 10.254.0.0 10.254.0.0 netmask 255.255.0.0

route outside 10.240.240.0 255.255.255.0 10.240.11.2 1

route outside 10.240.10.0 255.255.255.0 10.240.11.2 1

route outside 10.240.2.0 255.255.255.0 10.240.11.2 1

route outside 10.2.0.0 255.255.0.0 10.240.11.2 1

route inside 0.0.0.0 0.0.0.0 172.31.255.254 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

 

no snmp-server location

no snmp-server contact

 

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet 10.240.10.1 255.255.255.255 outside

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 5

console timeout 0

 

 

 

Thanks,

Romeo Bagosi

More information about the cisco-nsp mailing list