[66071] in North American Network Operators' Group
RE: Trace and Ping with Record Option on Cisco Routers
daemon@ATHENA.MIT.EDU (Danny.Andaluz@triaton-na.com)
Tue Dec 23 09:28:11 2003
From: Danny.Andaluz@triaton-na.com
To: crist.clark@globalstar.com
Cc: nanog@merit.edu
Date: Tue, 23 Dec 2003 09:30:31 -0500
Errors-To: owner-nanog-outgoing@merit.edu
This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.
------_=_NextPart_001_01C3C961.51735730
Content-Type: text/plain
That's exactly it, Crist. I did a little research and that the PIX drops
any packets with IP Options turned on. Currently there is no workaround.
This is IP Option 7 to be exact.
Thanks,
Danny
-----Original Message-----
From: Crist Clark [mailto:crist.clark@globalstar.com]
Sent: Monday, December 22, 2003 6:18 PM
To: Andaluz, Danilo, Triaton/NA
Cc: nanog@merit.edu
Subject: Re: Trace and Ping with Record Option on Cisco Routers
> Danny.Andaluz@triaton-na.com wrote:
>
> Hey, Group.
>
> In my production network, I'm trying to do some extended traces and
> pings with the record option turned on to see what route my packets
> take going and returning. It's not working. If I do the extended
> traceroute or ping without the record option, it works fine. There is
> a firewall (PIX) a few hops in front of the destination I'm trying to
> record the route for. What part of ICMP is this that needs to be
> opened on the firewall to allow this to come back? First time I'm
> coming across this.
It's not ICMP. It's the IP Options. Most firewalls will drop any packet with
an IP Options. Many firewalls will not let you turn this off. I do not know
how to allow IP Options through a PIX, but I know how to do it in Cisco IOS.
--
Crist J. Clark crist.clark@globalstar.com
Globalstar Communications (408) 933-4387
------_=_NextPart_001_01C3C961.51735730
Content-Type: text/html
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Dus-ascii">
<META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version =
5.5.2653.12">
<TITLE>RE: Trace and Ping with Record Option on Cisco Routers</TITLE>
</HEAD>
<BODY>
<P><FONT SIZE=3D2>That's exactly it, Crist. I did a little =
research and that the PIX drops any packets with IP Options turned =
on. Currently there is no workaround. This is IP Option 7 =
to be exact.</FONT></P>
<P><FONT SIZE=3D2>Thanks,</FONT>
<BR><FONT SIZE=3D2>Danny</FONT>
</P>
<P><FONT SIZE=3D2>-----Original Message-----</FONT>
<BR><FONT SIZE=3D2>From: Crist Clark [<A =
HREF=3D"mailto:crist.clark@globalstar.com">mailto:crist.clark@globalstar=
.com</A>] </FONT>
<BR><FONT SIZE=3D2>Sent: Monday, December 22, 2003 6:18 PM</FONT>
<BR><FONT SIZE=3D2>To: Andaluz, Danilo, Triaton/NA</FONT>
<BR><FONT SIZE=3D2>Cc: nanog@merit.edu</FONT>
<BR><FONT SIZE=3D2>Subject: Re: Trace and Ping with Record Option on =
Cisco Routers</FONT>
</P>
<BR>
<P><FONT SIZE=3D2>> Danny.Andaluz@triaton-na.com wrote:</FONT>
<BR><FONT SIZE=3D2>> </FONT>
<BR><FONT SIZE=3D2>> Hey, Group.</FONT>
<BR><FONT SIZE=3D2>> </FONT>
<BR><FONT SIZE=3D2>> In my production network, I'm trying to do some =
extended traces and </FONT>
<BR><FONT SIZE=3D2>> pings with the record option turned on to see =
what route my packets </FONT>
<BR><FONT SIZE=3D2>> take going and returning. It's not =
working. If I do the extended </FONT>
<BR><FONT SIZE=3D2>> traceroute or ping without the record option, =
it works fine. There is </FONT>
<BR><FONT SIZE=3D2>> a firewall (PIX) a few hops in front of the =
destination I'm trying to </FONT>
<BR><FONT SIZE=3D2>> record the route for. What part of ICMP =
is this that needs to be </FONT>
<BR><FONT SIZE=3D2>> opened on the firewall to allow this to come =
back? First time I'm </FONT>
<BR><FONT SIZE=3D2>> coming across this.</FONT>
</P>
<P><FONT SIZE=3D2>It's not ICMP. It's the IP Options. Most firewalls =
will drop any packet with an IP Options. Many firewalls will not let =
you turn this off. I do not know how to allow IP Options through a PIX, =
but I know how to do it in Cisco IOS.</FONT></P>
<P><FONT SIZE=3D2>-- </FONT>
<BR><FONT SIZE=3D2>Crist J. =
Clark &=
nbsp; &=
nbsp; =
crist.clark@globalstar.com</FONT>
<BR><FONT SIZE=3D2>Globalstar =
Communications &nbs=
p; &nbs=
p; (408) =
933-4387</FONT>
</P>
</BODY>
</HTML>
------_=_NextPart_001_01C3C961.51735730--
