The PIX Firewall does not support the initiation of the traceroute command as it is not part of the PIX command set. However, it can be configured to allow traceroute through it. When a traceroute command is issued from the outside, the PIX does not display its own interface IP address nor does it display the IP addresses of inside networks. The destination address is displayed multiple times for each internal hop. Traceroutes only work with static Network Address Translations (NATs) and not with Port Address Translation (PAT) IP addresses.
For example, a client on the Internet with the address 184.108.40.206 does a traceroute to a web server on the inside of the PIX with a public address of 220.127.116.11 and a private address of 10.1.3.25. There are two routers between the PIX and the internal web server. This is how the output of the traceroute command appears on the client machine:
Target IP address: 18.104.22.168
Source address: 22.214.171.124
Tracing the route to 126.96.36.199
1 188.8.131.52 4 msec 3 msec 4 msec
2 184.108.40.206 3 msec 5 msec 0 msec
3 220.127.116.11 4 msec 6 msec 3 msec
4 18.104.22.168 3 msec 2 msec 2 msec
From PIX version 6.3, this behavior can be undone if the fixup protocol icmp error command is issued. When this feature is enabled, the PIX creates xlates for intermediate hops that send Internet Control Message Protocol (ICMP) error messages, based on the static NAT configuration. The PIX overwrites the packet with the translated IP addresses.
In PIX 7.0, if NAT is enabled, the IP addresses of the PIX interfaces and the real IP addresses of the intermediate hops cannot be seen. However, in PIX 7.0, NAT is not a must and can be disabled with the no nat-control command. If the NAT rule is removed, the real IP address can be seen, provided that the real IP address is a routeable one.
There can be two different scenarios when traceroute is configured through the PIX. They are:
- In order to allow traceroute outbound through the PIX, there must be static or global statements to allow the address translation. In addition to the static or global statements, conduits or access control lists (ACLs) are also added (ACLs are preferred over conduits as conduits have been deprecated in PIX OS code 7.x and later). For example, these ACLs need to be configured to allow inside users to traceroute outside:
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any source-quench
access-list 101 permit icmp any any unreachable
access-list 101 permit icmp any any time-exceeded
access-group 101 in interface outside
!--- Binding the access list 101 to the outside interface.
This allows only the return messages listed through the firewall when an inside user pings to an outside host. Other types of ICMP status messages may be hostile, and the firewall blocks them.
For PIX Firewalls that operate on PIX OS code 7.x and later, ICMP inspection must be enabled with the inspect icmp command. Issue the inspect icmp error command to create xlates for intermediate hops that send ICMP error messages, based on the static/NAT configuration. The security appliance overwrites the packet with the translated IP addresses.
- In order to issue the traceroute command to get to a device inside the PIX, there must be a static mapping to the inside device. Also, in addition to the static or global statements, conduits or ACLs are also required to be added to the configuration.
Note: Make sure that ICMP is not blocked. Look at the output of the show icmp command for PIX OS 6.3 and earlier and the output of the show running-config icmp command for PIX OS 7.0 and later in order to do this.
For details, refer to The PIX and the traceroute Command and Handling ICMP Pings with PIX Firewall.