Funny you should ask, I just came across this with a PIX firewall instead
a FW1. the problem is with NT's implementation of TRACEROUTE. They use
ICMP ECHO REQUESTS versus the STANDARD UDP PACKETS WITH INCREASING UDP PORT
NUMBERS. If you have a chance, does the traceroute work from a UNIX box?
When using the ICMP, all it has is order received for the TTL's and to
match the source address in the tagged on IP header. In the UDP case, it
uses the s/d UDP ports from the 64 bits after the IP header.
Let me know what you find out. As I saw this note, I was looking for other
versions of trace-route that used UDP. However, none that I have found do
it with UDP. My thought is that it is part of the TCP/IP stack in NT...
Any help would be appreciated.
Gregory Otto e-mail gdo @
New Frontier Consulting WWW http://www.newf.com
Houston, Texas Voice (713) 718-1358
From: Jose R. Ferreira <jricardo @
To: firewalls @
Subject: FireWall-1 and traceroute
Date: Friday, May 16, 1997 2:32 PM
Jose R. Ferreira
I have a FireWall-1 2.0 VPN (output of "fw ver" - "This is CheckPoint
FireWall-1 Version 2.0e [VPN]") installed in the company I working for.
Well, I realized that the traceroute command from the internal network to
any address on Internet (external network)
doesn´t work well. The traceroute command is only able to show hosts and
routers traced in the internal network, never in the external.
Using the"snoop" comand on the FireWall machine and a Windows NT analyser
as a source of the traceroute packets, analysing frames going out from the
FireWall to the internal network I verified that the NAT is not
translating the destination address to the internal network address, in
case of " ICMP Time Exceeded" datagram sent from hosts or routers on
Internet. The destination address remains the external address configured
in my rules, that is to say, the NAT didn´t translate the external address
to the internal address even though there is a rule to do that.
Using a router in the external network I have tested my NAT translation
rules with other commands like Ping or Telnet and this worked fine. I saw
it on the output of snoop that the NAT is correctly translating the
destination address to the internal network address, so my configuration
seems to be ok.
I have looked for this bug on the Sunsolve and I have found a Jumbo Patch
for Solstice FireWall-1 2.0 VPN (103337-5) , I installed it but it didn´t
correct the problem.
Has anybody found this kind of problem ?