[c-nsp] Traceroute over PIX ver7
Sam Stickland
sam_mailinglists at spacething.org
Mon Nov 6 17:15:42 EST 2006
Bagosi Rómeó wrote:
> Hi all!
>
>
>
> I have a problem with the traceroute output over PIX ver7. In the output there are duplicated items:
>
>
>
> Tracing route to r1.abc-29.asd.asd [10.58.29.66]
>
> over a maximum of 30 hops:
>
> 1 131 ms 71 ms 74 ms r1.abc-29.asd.asd [10.58.29.66]
>
> 2 105 ms 71 ms 71 ms r1.abc-29.asd.asd [10.58.29.66]
>
> 3 89 ms 71 ms 72 ms r1.abc-29.asd.asd [10.58.29.66]
>
> 4 94 ms 71 ms 71 ms r1.abc-29.asd.asd [10.58.29.66]
>
> Trace complete.
>
>
>
> Why is that?
>
> We have to solve this problem because we are monitoring devices with SNMP, and the managing software needs some information based on the traceroute.
>
> In the path to that router there is a pix firewall, but the ICMP isn't denied on that. Here is the config of that PIX:
>
You need to enable the following commands:
fixup protocol icmp
fixup protocol icmp error
(NB: This is version 6 syntax, but the PIX will convert it into the v7
syntax when you enter it).
This will allow the ICMP unreachable's generated from the intermediate
devices to be NAT translated correctly. Note, that in order to see all
the hops in a traceroute they will _all_ need to have valid NAT
translations to the source.
Also, note that the PIX will not decrease the TTL for traffic that
passes through it so you'll never ever see the PIX in the traceroute.
Sam
More information about the cisco-nsp
mailing list