Solved: pix as a hop

cfajardo1_2 · ‎10-28-2007

hi,

could a pix firewall shows as part of a hop on a tracert?

if not, any reason about it.

coz we have done a tracert on a machine accross a pix and it bypasses the pix as a hop.

thanks

Jon Marshall · ‎10-29-2007

Hi

From lab setup

R3(192.168.12.2) -> (192.168.12.1) R1 (192.168.10.56) -> (192.168.10.1 - outside) Pix (192.168.0.99 - inside) -> (192.168.0.42) R2

I allowed icmp from outside to the inside address of 192.168.0.42.

From R3

R3#traceroute 192.168.0.42

Type escape sequence to abort.

Tracing the route to 192.168.0.42

1 192.168.12.1 0 msec 0 msec 4 msec

2 192.168.0.42 0 msec 0 msec *

R3#

So a pix will not show as part of a traceroute. It doesn't bypass the pix as such it still has to go through the pix but the pix does not respond.

HTH

Jon

Jon Marshall · ‎10-29-2007

Hi

From lab setup

R3(192.168.12.2) -> (192.168.12.1) R1 (192.168.10.56) -> (192.168.10.1 - outside) Pix (192.168.0.99 - inside) -> (192.168.0.42) R2

I allowed icmp from outside to the inside address of 192.168.0.42.

From R3

R3#traceroute 192.168.0.42

Type escape sequence to abort.

Tracing the route to 192.168.0.42

1 192.168.12.1 0 msec 0 msec 4 msec

2 192.168.0.42 0 msec 0 msec *

R3#

So a pix will not show as part of a traceroute. It doesn't bypass the pix as such it still has to go through the pix but the pix does not respond.

HTH

Jon

royalblues · ‎10-30-2007

I think if you allow ICMP to initiate from inside, then the pix certianly shows as a hop

i.e if we do a traceroute from R2 towards R3 then we will see pix as a hop

I do not have a lab to set this up but i have seen the pix ip as a part of trace in the above scenario.

HTH

Narayan

Edison Ortiz · ‎10-30-2007

Please see: