Hey, Group. In my production network, I'm trying to do some extended traces and pings with the record option turned on to see what route my packets take going and returning. It's not working. If I do the extended traceroute or ping without the record option, it works fine. There is a firewall (PIX) a few hops in front of the destination I'm trying to record the route for. What part of ICMP is this that needs to be opened on the firewall to allow this to come back? First time I'm coming across this. Thanks, Danny
I believe source routing must be permitted in order for the record route to function. Otherwise the packet is dropped. Chris On Mon, 2003-12-22 at 16:45, Danny.Andaluz@triaton-na.com wrote:
Hey, Group.
In my production network, I'm trying to do some extended traces and pings with the record option turned on to see what route my packets take going and returning. It's not working. If I do the extended traceroute or ping without the record option, it works fine. There is a firewall (PIX) a few hops in front of the destination I'm trying to record the route for. What part of ICMP is this that needs to be opened on the firewall to allow this to come back? First time I'm coming across this.
Thanks, Danny
Danny.Andaluz@triaton-na.com wrote:
Hey, Group.
In my production network, I'm trying to do some extended traces and pings with the record option turned on to see what route my packets take going and returning. It's not working. If I do the extended traceroute or ping without the record option, it works fine. There is a firewall (PIX) a few hops in front of the destination I'm trying to record the route for. What part of ICMP is this that needs to be opened on the firewall to allow this to come back? First time I'm coming across this.
It's not ICMP. It's the IP Options. Most firewalls will drop any packet with an IP Options. Many firewalls will not let you turn this off. I do not know how to allow IP Options through a PIX, but I know how to do it in Cisco IOS. -- Crist J. Clark crist.clark@globalstar.com Globalstar Communications (408) 933-4387
On Mon, 2003-12-22 at 18:18, Crist Clark wrote:
Danny.Andaluz@triaton-na.com wrote:
Hey, Group.
In my production network, I'm trying to do some extended traces and pings with the record option turned on to see what route my packets take going and returning. It's not working. If I do the extended traceroute or ping without the record option, it works fine. There is a firewall (PIX) a few hops in front of the destination I'm trying to record the route for. What part of ICMP is this that needs to be opened on the firewall to allow this to come back? First time I'm coming across this.
It's not ICMP. It's the IP Options. Most firewalls will drop any packet with an IP Options.
Actually, I've done some testing on this. Most firewalls completely ignore options and do not allow you to filter them. I've found quite a few NAT firewalls that you can easily bounce over using lose source routing. The exceptions I've found are PIX, IPFilter, pf and iptables. Cisco IOS has a new "ip options drop" command, but I have not tried it. Older versions of IOS would let you do rudimentary option filtering via ACLs, but I don't remember record route as being one of the possible options. So I would also guess that the PIX is the culprit. You can try disabling the options drop to see if that helps, and check the ACLS to see if options are being filtered. Either way you can confirm this is where you are losing the packet by taking some traces or checking the logs. HTH, C
participants (4)
-
Chris Brenton
-
Chris Griffin
-
Crist Clark
-
Danny.Andaluz@triaton-na.com