How to configure the PIX Firewall to allow traceroutes through it
The PIX Firewall does not support the initiation of the traceroute command as it is not part of the PIX command set. However, it can be configured to allow traceroute through it. When a traceroute command is issued from the outside, the PIX does not display its own interface IP address nor does it display the IP addresses of inside networks. The destination address is displayed multiple times for each internal hop. Traceroutes only work with static Network Address Translations (NATs) and not with Port Address Translation (PAT) IP addresses.
For example, a client on the Internet with the address 209.165.202.130 does a traceroute to a web server on the inside of the PIX with a public address of 209.165.201.25 and a private address of 10.1.3.25. There are two routers between the PIX and the internal web server. This is how the output of the traceroute command appears on the client machine:
Target IP address: 209.165.201.25
Source address: 209.165.202.130
Tracing the route to 209.165.201.25
1 209.165.202.128 4 msec 3 msec 4 msec
2 209.165.201.25 3 msec 5 msec 0 msec
3 209.165.201.25 4 msec 6 msec 3 msec
4 209.165.201.25 3 msec 2 msec 2 msec
From PIX version 6.3, this behavior can be undone if the fixup protocol icmp error command is issued. When this feature is enabled, the PIX creates xlates for intermediate hops that send Internet Control Message Protocol (ICMP) error messages, based on the static NAT configuration. The PIX overwrites the packet with the translated IP addresses.
Gishore James
Latest posts by Gishore James (see all)
- Microsoft Office for iPhone – Changing Strategy of Microsoft - June 16, 2013
- Guidelines for International websites from Google - June 13, 2013
- Google is to Change the rankings of smartphone search results - June 12, 2013