RE: Trace and Ping with Record Option on Cisco Routers

[Danny.Andaluz () triaton-na com]

That's exactly it, Crist.  I did a little research and that the PIX drops
any packets with IP Options turned on.  Currently there is no workaround.
This is IP Option 7 to be exact.

Thanks,
Danny

-----Original Message-----
From: Crist Clark [mailto:crist.clark () globalstar com] 
Sent: Monday, December 22, 2003 6:18 PM
To: Andaluz, Danilo, Triaton/NA
Cc: nanog () merit edu
Subject: Re: Trace and Ping with Record Option on Cisco Routers


> Danny.Andaluz () triaton-na com wrote:
>
> Hey, Group.
>
> In my production network, I'm trying to do some extended traces and 
> pings with the record option turned on to see what route my packets 
> take going and returning.  It's not working.  If I do the extended 
> traceroute or ping without the record option, it works fine.  There is 
> a firewall (PIX) a few hops in front of the destination I'm trying to 
> record the route for.  What part of ICMP is this that needs to be 
> opened on the firewall to allow this to come back?  First time I'm 
> coming across this.

It's not ICMP. It's the IP Options. Most firewalls will drop any packet with
an IP Options. Many firewalls will not let you turn this off. I do not know
how to allow IP Options through a PIX, but I know how to do it in Cisco IOS.
-- 
Crist J. Clark                               crist.clark () globalstar com
Globalstar Communications                                (408) 933-4387