Consider this network diagram:
In this scenario, the router is performing "Dynamic PAT" (I'm using Cisco's definition) where all "real" or "inside" addresses are mapped to a single outside address provided by my ISP. Can host 192.168.1.20 traceroute the hops between 108.180.223.48 and 8.8.8.8?
From google I see numerous threads indicating that many people seem to expect this to work if only you configure NAT and access-lists correctly — but I don't see how that's possible. Here's why:
Traceroute relies on ICMP Time Exceeded packets to be returned to the sender of an ICMP echo or UDP packet when received with a TTL of 1. When a traceroute is initiated from 192.168.1.20, the router constructs an ICMP echo or UDP session in anticipation of reply traffic from the destination and translates the source address to 108.180.223.48. When the ICMP Time Exceeded packet is sent back from each hop, that packet isn't an expected part of the ICMP echo or UDP session. Without something fancy going on, it seems the router would have no way of unambiguously knowing to which ICMP echo or UDP session an ICMP Time Exceeded packet belongs. The router would neither know to allow the Time Exceeded packet through nor to which host to send it.
Am I missing something here? Can routers or firewalls do something fancy to make traceroutes work behind a Dynamic-PAT firewall? If so, how?
Best Answer
Yes, you're missing something. And yes, "something fancy" is going on. The router's NAT state table will map the inside-outside translation for the traceroute probe. (UDP normally) As is required for ICMP to work through any firewall, an ICMP error message will be allowed as part of an established flow. The "fancy" part is the fact the ICMP error carries the header of the packet that caused the error, so the router can match this against it's NAT table for translation to the correct host.
Note: Cisco's firewall product (ASA) will not map icmp errors unless configured to do so:
IOS does so without any specific configuration.