Heads Up :
The post you are writing will appear in a public forum. Please ensure all content is appropriate for public consumption. Review the employee guidelines for the community here.
We upgraded our PIXs to 7.0(2) and now cannot see intermediate hops with a traceroute to outside. As a work around I enabled inpect icmp error. This resolved the traceroute but stopped PMTU working (we need PMTU for sessions going via a VPN) so I had...
I have captured the icmp debugs which show a difference in the way the ICMP unreachables are NAT'd with the inspect icmp error enabled:Note: I have changed the IP addressesinspect error icmp error enabled:Pix inside:10.90.200.7 > 10.90.100.97: icmp: ...
The VPN is not terminated on the PIX but via a seperate VPN device (Cisco VPN router).I did not remove the access list. I left booth the inpect icmp error and access lists in place and the PMTU stopped working.
I used this information to get SDM working in my network (when TAC was no help at all).There was one additional command that I needed to add on the router (and switches for http authentication).aaa authorization exec default group tacacs+
