I'm currently running PIX 18.104.22.168 and preparing for an ASA conversion. In anticipation of the move I've been cleaning up the configs and decided to turn on ICMP &ICMP Error Inspection so I could get replace the "permit icmp any any" statement on my outside ACL with a more secure option.
However, traceroutes from Windows boxes now only show the first and last hops. I tried clearing the xlate, but still no go. If I add the permit statement back in it works. Isn't ICMP Error Inspection supposed to take care of this?
Am I missing something?
In context to your first statement , i would like to tell you that Outbound traceroute requires access-list on the outside interface for time-exceeded and unreachable (for UDP Traceroute) as just enabling ICMP Inspection and ICMP Error inspection in the policy-map wont allow the return traffic from the Upstream / Intermediate hops .
If you are using PAT, then certainly you are hitting this bug. But I stated earlier, it is highly recommended to upgrade the code as 7.0 is very old code.