pix as a hop

Answered Question
Oct 28th, 2007

hi,

could a pix firewall shows as part of a hop on a tracert?

if not, any reason about it.

coz we have done a tracert on a machine accross a pix and it bypasses the pix as a hop.

thanks

I have this problem too.
0 votes
Correct Answer by Jon Marshall about 9 years 2 months ago

Hi

From lab setup

R3(192.168.12.2) -> (192.168.12.1) R1 (192.168.10.56) -> (192.168.10.1 - outside) Pix (192.168.0.99 - inside) -> (192.168.0.42) R2

I allowed icmp from outside to the inside address of 192.168.0.42.

From R3

R3#traceroute 192.168.0.42

Type escape sequence to abort.

Tracing the route to 192.168.0.42

1 192.168.12.1 0 msec 0 msec 4 msec

2 192.168.0.42 0 msec 0 msec *

R3#

So a pix will not show as part of a traceroute. It doesn't bypass the pix as such it still has to go through the pix but the pix does not respond.

HTH

Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
Loading.
Correct Answer
Jon Marshall Mon, 10/29/2007 - 04:20

Hi

From lab setup

R3(192.168.12.2) -> (192.168.12.1) R1 (192.168.10.56) -> (192.168.10.1 - outside) Pix (192.168.0.99 - inside) -> (192.168.0.42) R2

I allowed icmp from outside to the inside address of 192.168.0.42.

From R3

R3#traceroute 192.168.0.42

Type escape sequence to abort.

Tracing the route to 192.168.0.42

1 192.168.12.1 0 msec 0 msec 4 msec

2 192.168.0.42 0 msec 0 msec *

R3#

So a pix will not show as part of a traceroute. It doesn't bypass the pix as such it still has to go through the pix but the pix does not respond.

HTH

Jon

royalblues Tue, 10/30/2007 - 12:59

I think if you allow ICMP to initiate from inside, then the pix certianly shows as a hop

i.e if we do a traceroute from R2 towards R3 then we will see pix as a hop

I do not have a lab to set this up but i have seen the pix ip as a part of trace in the above scenario.

HTH

Narayan

Actions

This Discussion