interesting traceroute I am getting thru a firewall where we are NAT'ing both Source and Destination. I am wondering if it is possible to get this to work. We are trying to set up a traceroute monitor to trace routes out on the far end of our firewall. We are using Nagios to report
back if the last hop changes to gives us an idea of any fluctuations. I have the Nagios script working internally, however when I cross to a Host on the far end of the Firewall. I am receiving werid info back from the trace route command. I've tried both ICMP and TCP traceroutes.
Here is what I am getting.
traceroute to 10.255.1.166 (10.255.1.166), 30 hops max, 60 byte packets
1 10.1.0.2 0.532 ms 0.753 ms 10.1.0.3 0.619 ms
2 10.54.4.13 1.844 ms 10.253.4.23 1.994 ms 2.048 ms
3 10.67.29.3 1.993 ms 1.988 ms 1.968 ms
4 10.255.1.166 2.167 ms 2.178 ms 2.172 ms
5 10.255.1.166 2.754 ms 2.257 ms 2.761 ms
6 10.255.1.166 2.460 ms 2.749 ms 2.839 ms
7 10.255.1.166 3.105 ms 2.923 ms 2.979 ms
8 10.255.1.166 3.420 ms 3.508 ms 3.398 ms
9 10.255.1.166 3.092 ms 2.997 ms 2.936 ms
- This is a linux box with IP of 10.1.0.55, which we Source NAT to 10.99.99.55 when traversing
- The 10.255.1.166 is the NAT of the Host on the far end of the Firewall, the translation to it's real is 10.21.3.4
- The Firewall is a Palo Alto running code v6.1
Best Answer
I would guess that the NAT is deliberately changing the source IP for ICMP errors coming from the network behind the NAT to reduce the chance of them being dropped by ingress filtering.
I do not know the specifics of the NAT device you are using and hence I do not know if this behaviour is configurable.