The PIX Firewall does not support the initiation of the traceroute command as it is not part of the PIX command set. However, it can be configured to allow traceroute through it. When a traceroute command is issued from the outside, the PIX does not display its own interface IP address nor does it display the IP addresses of inside networks. The destination address is displayed multiple times for each internal hop. Traceroutes only work with static Network Address Translations (NATs) and not with Port Address Translation (PAT) IP addresses.
For example, a client on the Internet with the address 188.8.131.52 does a traceroute to a web server on the inside of the PIX with a public address of 184.108.40.206 and a private address of 10.1.3.25. There are two routers between the PIX and the internal web server. This is how the output of the traceroute command appears on the client machine:
Target IP address: 220.127.116.11
Source address: 18.104.22.168
Tracing the route to 22.214.171.124
1 126.96.36.199 4 msec 3 msec 4 msec
2 188.8.131.52 3 msec 5 msec 0 msec
3 184.108.40.206 4 msec 6 msec 3 msec
4 220.127.116.11 3 msec 2 msec 2 msec
From PIX version 6.3, this behavior can be undone if the fixup protocol icmp error command is issued. When this feature is enabled, the PIX creates xlates for intermediate hops that send Internet Control Message Protocol (ICMP) error messages, based on the static NAT configuration. The PIX overwrites the packet with the translated IP addresses.