The PIX Firewall does not support the initiation of the traceroute command as it is not part of the PIX command set. However, it can be configured to allow traceroute through it. When a traceroute command is issued from the outside, the PIX does not display its own interface IP address nor does it display the IP addresses of inside networks. The destination address is displayed multiple times for each internal hop. Traceroutes only work with static Network Address Translations (NATs) and not with Port Address Translation (PAT) IP addresses.
For example, a client on the Internet with the address 188.8.131.52 does a traceroute to a web server on the inside of the PIX with a public address of 184.108.40.206 and a private address of 10.1.3.25. There are two routers between the PIX and the internal web server. This is how the output of the traceroute command appears on the client machine:
Target IP address: 220.127.116.11 Source address: 18.104.22.168
Tracing the route to 22.214.171.124
1 126.96.36.199 4 msec 3 msec 4 msec
2 188.8.131.52 3 msec 5 msec 0 msec
3 184.108.40.206 4 msec 6 msec 3 msec
4 220.127.116.11 3 msec 2 msec 2 msec
From PIX version 6.3, this behavior can be undone if the fixup protocol icmp error command is issued. When this feature is enabled, the PIX creates xlates for intermediate hops that send Internet Control Message Protocol (ICMP) error messages, based on the static NAT configuration. The PIX overwrites the packet with the translated IP addresses.
In PIX 7.0, if NAT is enabled, the IP addresses of the PIX interfaces and the real IP addresses of the intermediate hops cannot be seen. However, in PIX 7.0, NAT is not a must and can be disabled with the no nat-control command. If the NAT rule is removed, the real IP address can be seen, provided that the real IP address is a routeable one.
There can be two different scenarios when traceroute is configured through the PIX. They are:
In order to allow traceroute outbound through the PIX, there must be static or global statements to allow the address translation. In addition to the static or global statements, conduits or access control lists (ACLs) are also added (ACLs are preferred over conduits as conduits have been deprecated in PIX OS code 7.x and later). For example, these ACLs need to be configured to allow inside users to traceroute outside:
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any source-quench
access-list 101 permit icmp any any unreachable
access-list 101 permit icmp any any time-exceeded
access-group 101 in interface outside !--- Binding the access list 101 to the outside interface.
This allows only the return messages listed through the firewall when an inside user pings to an outside host. Other types of ICMP status messages may be hostile, and the firewall blocks them.
For PIX Firewalls that operate on PIX OS code 7.x and later, ICMP inspection must be enabled with the inspect icmp command. Issue theinspect icmp error command to create xlates for intermediate hops that send ICMP error messages, based on the static/NAT configuration. The security appliance overwrites the packet with the translated IP addresses.
In order to issue the traceroute command to get to a device inside the PIX, there must be a static mapping to the inside device. Also, in addition to the static or global statements, conduits or ACLs are also required to be added to the configuration.
Note: Make sure that ICMP is not blocked. Look at the output of the show icmp command for PIX OS 6.3 and earlier and the output of the show running-config icmp command for PIX OS 7.0 and later in order to do this.
I would like to set a dedicated client-to-site VPN tunnel for each user, having they individual x.509 certificates. However RV354P seems to have a limit of 10 client-to-site tunnels. Can this limit be increased or removed? If not, what would be ...
Hi Everyone, I have a question about using multiple IPsec tunnel.Below is a simple diagram that I think to implement. 1. I have 2 sites connecting over internet. I want to connect them with IPsec tunnel. (not use GRE or VTI tunnel)2. I peer them...
Hello, I have a simple question to understand the behavior from the ASA side. Once the connection is marked as half-closed , during that ( 30 seconds ) if the ASA will receive a syn packet related to the original connection what will happen exac...
Hi Cisco Guru, I'm currently using FPR1K running FDM code with outside interface is DHCP. However, since our ISP subscription is dynamic IP and they may sometimes force to renew a new IP and when this occur, my FPR will keep the old IP even disable a...
Hello, Our SSL Certificate on the admin portal has expired and will not allow us to log on. The cert was issued by our local CA via a CSR from the ISE instance. I do have access to the CLI. I'm not given the opportunity to logon, I get an SSL error f...