The PhoneBoy Blog


Simplifying Telecom, Mobile Phones, Gadgets, and More!

FireWall-1 FAQ: Hide NAT and Traceroute from Windows machines fails

Please note: This content was from when I was operating my FireWall-1 FAQ site, which I stopped operating in August 2005. For some reason people still have links to this stuff on the Internet that people are still clicking on.


I am making this information available again AS IS. Given how old this information is, it is likely wildly inaccurate. I have no plans to update this information.


If you're still running versions of Check Point VPN-1/FireWall-1 where this information is still relevant to you, do yourself a favor and upgrade to a more recent release. If you happen to be running a current release and the information is useful, it's by happenstance :)


Short Answer: FireWall-1 4.0 should support this. Earlier versions of FireWall-1 do not. There are bugs with this in NG FP2 (possibly before) that are fixed in NG FP3 or with a hotfix to FP2.

Background: With HIDE translations, FireWall-1 has to munge source ports so it can keep track of "reply" packets. With ICMP packets, there is no source or destination ports, so it has to use the data portion of an ICMP packet to encode state information (it's usually garbage anyway). An ICMP Echo-Reply packet usually sends back all the data that was sent to it, so a normal ICMP Echo-Request and ICMP Echo-Reply sequence should work fine through a HIDE NAT. Other sorts of ICMP packets (particularly Time-Exceeded) do not send back all of the data sent at it.

Unix traceroute is done with high-port UDP packets with a short TTL. These "hide" very nicely as the Time-Exceeded packets sent back by each hop contain enough "state" information for FireWall-1 to figure out whose traceroute the message is in response to. FireWall-1 then routes the Time-Exceeded message to the appropriate host.

Microsoft traceroute (used in all Windows products) uses ICMP Echo-Request packets with a short TTL. The state information gets encoded into the data portion of the packet when it goes through your FireWall-1 machine as all other ICMP packets do. However, the ICMP Time-Exceeded packets usually sent back by each hop do not contain the entire data portion of the packet, and it's usually not enough information for FireWall-1 to decode which machine sent the original ICMP Echo Request. This is why you get all the way to your firewall, '*'s for each hop outside of the firewall, and then the final destination.

When Microsoft traceroute reaches the final destination, it is simply an echo-request/echo-reply sequence, which will return the entire data portion of the packet, thus the state information necessary for FireWall-1 to direct the ICMP Echo Reply packet to its intended destination.

If you are using NG+FP2 AND you don't want to update to FP3 AND you want to use traceroute from WIN client, here is one possibility: Download Necrosoft traceroute from http://www.nscan.org/?index=download, it's free. Program runs on WIN and uses "Unix type" UDP based traceroute which works OK.

C-List #Cybersecurity Celebrity, Podcaster, #noagenda Producer, Frequenter of shiny metal tubes, Expressor of personal opinions, and of course, a coffee achiever.