I am having some issues tracerouting thru the PIX. When I tracert from a interface with a security level of 99 thru to a segment behind the inside interface I get the following.
Tracing route to [126.96.36.199]over a maximum of 30 hops:
1 <10 ms <10 ms <10 ms [188.8.131.52]
2 <10 ms <10 ms 16 ms [184.108.40.206]
3 <10 ms <10 ms 16 ms [220.127.116.11] Trace complete.
So, it goes like this from a system off the sec99 interface:
sec99 segment =>Pix=>inside interface =>router=>private T1=>router=>18.104.22.168
Hopefully that didn't mess anyone up! But my question is what could be some causes of seeing my address for every hop of the tracert? My expectation is seeing 3 different addresses and mine being the 3rd.
Any help is appreciated and if anyone needs more information please let me know.
This is a known issue, CSCdv33352. Actually this became a feature enhancement rather than a bug because the PIX was working as it was designed, basically it NAT's the ICMP packets as they get returned from each intermediate hop in the traceroute, and so to the originating host it looks like each intermediate hop is the PIX.
This is fixed in 6.3 code due out soon, although I think it will be configurable with a sysopt command or something similar. If you don't configure anything, the PIX will continue to work as it always has.