Hi Ajaz,

I have tried that also before but no expected ICMP message output displayed. I have tried it again. Please see the information below:

~~~~~~~~~~~~~~~~~

On the PIX:

PIX(config)# show debug

debug icmp trace

PIX(config)# 111009: User 'enable_15' executed cmd: show debug

PIX(config)# 302015: Built outbound UDP connection 23 for outside:10.50.13.1/33434 (10.50.13.1/33434) to inside:10.10.6.2/33123 (10.50.31.22/33123)

302015: Built outbound UDP connection 24 for outside:10.50.13.1/33435 (10.50.13.1/33435) to inside:10.10.6.2/36853 (10.50.31.22/36853)

302015: Built outbound UDP connection 25 for outside:10.50.13.1/33436 (10.50.13.1/33436) to inside:10.10.6.2/38225 (10.50.31.22/38225)

302015: Built outbound UDP connection 26 for outside:10.50.13.1/33437 (10.50.13.1/33437) to inside:10.10.6.2/41722 (10.50.31.22/41722)

302015: Built outbound UDP connection 27 for outside:10.50.13.1/33438 (10.50.13.1/33438) to inside:10.10.6.2/41954 (10.50.31.22/41954)

302015: Built outbound UDP connection 28 for outside:10.50.13.1/33439 (10.50.13.1/33439) to inside:10.10.6.2/35614 (10.50.31.22/35614)

~~~~~~~~~~~~~~~~~~~~~~~~~

ON the Router:

R6-FRSW#traceroute 10.50.13.1

Type escape sequence to abort.

Tracing the route to 10.50.13.1

1 10.50.31.2 8 msec 4 msec 4 msec

2 10.50.13.1 36 msec * 36 msec

R6-FRSW#

Regards,

Lorenz

Lorenz,

Is there any chance please you can share the configuration with us in terms of NAT etc.

I would also like to request the exact debug commands you are executing with all the relevant IP addresses.

thanks in advance

Ajaz Nawaz

Hi Ajaz,

Here are the debug command I put:

debug packet outside src 10.50.13.1 netmask 255.255.255.255 dst 10.50.31.22 proto icmp

debug icmp trace

Note: The 10.50.13.1 is two (2) hops away.

The following is my NAT commands:

PIX(config)# sh nat

nat (inside) 0 access-list nonat

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

PIX(config)# sh global

global (outside) 1 interface

PIX(config)# sh static

static (inside,outside) 10.50.31.22 10.10.6.2 netmask 255.255.255.255 0 0

static (inside,outside) 16.16.16.16 16.16.16.16 netmask 255.255.255.255 0 0

static (inside,outside) 166.166.166.166 166.166.166.166 netmask 255.255.255.255 0 0

static (inside,outside) 10.50.31.60 192.168.6.60 netmask 255.255.255.255 0 0

static (inside,outside) 10.50.31.65 192.168.6.65 netmask 255.255.255.255 0 0

static (inside,outside) 10.50.31.6 192.168.6.6 netmask 255.255.255.255 0 0

static (inside,outside) 10.50.31.99 192.168.6.99 netmask 255.255.255.255 0 0

PIX(config)#

As you might notice, I have taken these from Yusuff's Practice Labs scenario. I am trying to recreate it and doing some debugs to check whether the ICMP return message from the Traceroute is coming to my PIX interface. but unfortunately I do not see such ICMP message pertaining to the traceroute.

Regards,

Lorenz

Lorenz

I'm afraid I do not have access to Yusuff's book.

The below debug states a dst IP address (10.50.31.22) that is also defined as a static on the PIX why?

We need to verify why this is and the associated access-lists. We also need to ascertain if the outbound packet uses the global or no-nat access-list hence we need all or more of the config.

If possible please supply full config of the PIX.

Theory:

The debug used below will not pick up the ICMP packet trace if the src is NAT?ed to the global 1 (interface address) as the reply from the dst host will be back to the interface address.

We can investigate this further if we have more of the config.

Note: Possible issues for ?Debug ICMP trace? because of static configured on PIX

bye for now,

Ajaz Nawaz

Hi Ajaz,

Whew! I finally got hold of the truth. It was some routing misconfiguration on the next hop router of the PIX. There was no problem with the PIX. The 10.50.31.2 router was not properly redistributing subnets information to the OSPF network thereby not giving the destination router 10.50.13.1 the proper route back. This gives me the timeouts all the time. Now I can get the ICMP Type 3 Code 3 from the 10.50.13.1.

Here are the outputs:

PIX(config)# --------- PACKET ---------

-- IP --

10.50.13.1 ==> 10.50.31.22

ver = 0x4 hlen = 0x5 tos = 0xc0 tlen = 0x38

id = 0xf38 flags = 0x0 frag off=0x0

ttl = 0xfe proto=0x1 chksum = 0x6c52

-- ICMP --

type = 0x3 code = 0x3 checksum=0x3d91

identifier = 0x0 seq = 0x0

-- DATA --

00000010: 45 00 00 1c | E...

00000020: 21 1b 00 00 01 11 58 3c 0a 32 1f 16 0a 32 0d 01 | !.....X<.2...2..

00000030: 83 ff 82 9d 00 08 b8 c6 02 | .........

--------- END OF PACKET ---------

--------- PACKET ---------

-- IP --

10.50.13.1 ==> 10.50.31.22

ver = 0x4 hlen = 0x5 tos = 0xc0 tlen = 0x38

id = 0xf39 flags = 0x0 frag off=0x0

ttl = 0xfe proto=0x1 chksum = 0x6c51

-- ICMP --

type = 0x3 code = 0x3 checksum=0x3d91

identifier = 0x0 seq = 0x0

-- DATA --

00000010: 45 00 00 1c | E...

00000020: 21 21 00 00 01 11 58 36 0a 32 1f 16 0a 32 0d 01 | !!....X6.2...2..

00000030: 85 c2 82 9f 00 08 b7 01 00 | .........

--------- END OF PACKET ---------

Thanks anyways for the theory that you gave previously. The NAT to the interface is not connected with the IP source address used in the traceroute because the Router behind the PIX uses a static NAT (to 10.50.31.22).

PS: Thanks for giving me your time. Hope to interact with you sometime again!

Regards,

Lorenz