Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
514
Views
0
Helpful
3
Replies

PIX and traceroute

kevin-reynolds
Level 1
Level 1

‎01-23-2003 10:41 AM - edited ‎02-20-2020 10:30 PM

I have been testing traceroutes through the PIX and found an interesting anomaly. Current architecture for testing is:

interent(1.1.1.1) -> pix(2.2.2.2) -> router(3.3.3.3) -> host(4.4.4.4)

When performing a traceroute from the internet to the host the following occurs:

1. The pix is transparent, as it should be.

2. The router responds with TTL time exceeded, as it should. I verified this with a sniffer.

3. The host responds with port unreachable, as it should. Again a sniffer.

The problem is the client who performed the traceroute sees something different. It sees the second to last hop with a source IP address of the host and it sees the last hop as the host as well. For example:

It should look like this on the last two hops:

...

7 3.3.3.3 10ms 10ms 10ms

8 4.4.4.4 10ms * 10ms

But it looks like this:

...

7 4.4.4.4 10ms 10ms 10ms

8 4.4.4.4 10ms * 10ms

** I relaize that the asterik occurs because some OS's (including Cisco IOS) will not send two icmp ttl exceededs within 500 ms of eachother.

I have verified, with a sniffer, that the destination host only responds with two icmp TTL exceeded messages. I have also verified that the router responds with three icmp port unreachables with its own source address. When received at the client station though, the source address has changed to that of the host.

It looks like the PIX is changing the IP address of any port unreachable messages to that of the destination host. Has any else observed this behaviour?

If Cisco has written this into the code for security reasons then they better think again. If this is true and I do not have a problem on my side, then Cisco has provided a mechanism for fingerprinting the firewall.

Kevin

0 Helpful
3 Replies 3

gfullage
Cisco Employee
Cisco Employee

‎01-23-2003 04:23 PM

This is by design, see the notes on bug CSCdv33352.

I'll let you work it out with your Account Manager as to whether this "feature" should be configurable or not.

0 Helpful

francoso
Level 1
Level 1
In response to gfullage

‎02-08-2003 11:29 AM

Is this bug also apply when traceroute from a host/router at a lower security interface to a host/router at a higher security interface ?

0 Helpful

gfullage
Cisco Employee
Cisco Employee
In response to francoso

‎02-09-2003 03:57 PM

Yes. That is what this posting has been all about.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card