Maik,
I have experienced this on several PIXen. It seems to be a limitation of the
PAT implementation. If you have a 1to1 address mapping for your address
(Dynamic NAT) then it should succeed, however if you are one of the unlucky
ones to be translated by the PAT overflow address then tracert will not work
from a windows machine because it uses ICMP which doesn't have a "Port".
>From most Unix boxes and other routers it uses UDP, which should work
outbound (Even on PAT, although I haven't tested this). To test which way
you are going outbound use the following commands, show xlate local <your
private IP>, show xlate global<you External IP>, show xlate gport <Global
port>, or show xlate lport <Internal port>. To overcome this apply a Static
to anyone who needs to tracert, "static (inside,outside) <External IP>
<Internal IP> netmask 255.255.255.255 0 0" combined with a reserved address
in DHCP for your internal IP. Notice the order of the addresses, they are
entered in the reverse order of the statement in parenthesis.
Ken Claussen MCSE CCNA CCA
[EMAIL PROTECTED]
"The Mind is a Terrible thing to Waste!"
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Maik Fischer
Sent: Monday, March 26, 2001 8:47 AM
To: [EMAIL PROTECTED]
Subject: problem with pix506
hi out there,
maybe theres someone who can help me:
i have a pix506 (ver5.2(3)). everything works fine (nat, pat, etc),
except traceroute from the inside to the outside (the other way is
forbidden). every try has a time-out.
has someone the acl's i need to allow it?
thanx in advanc,
--
mfg
Maik Fischer
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
