Hi!
Okay. After banging my head on the keyboard for a couple of hours I'm giving in :) Does anybody know what the hell PIX is doing to ICMP packets? I seem to be only able to get only 992B large ICMPs over the PIX (992B ICMP = 1020B MTU). The network layout is pretty simple:
(C)-----(R)-----(P)----(Internet)
C = client R = router (Cisco IOS 12.2) P = PIX 506E
If I run tracepath/mturoute towards the router I get the MTU of 1500 which is okay and expected (regular Ethernet). If I tracepath across the router to a VPN connected site (the traffic here does not pass the PIX) I end up with an MTU of 1436 which is also ok.
But if I run tracepath to the IP of the insider interface of the PIX the PIX will only respond to ICMP packets up to 992 bytes of size (MTU
1020). I get similar results from tracepathing hosts on the Internet (even sites where I know the MTU should be 1492). It might be worth noting that the router is in a pure routing function and is not doing any packet filtering. The MTU of all interfaces is set to 1500.The MTU for the inside and outside interface is set to 1500 on the PIX. (Ethernet on both sides).
To make the matter weirder - I've tried the same tests on a similar PIX layout (again client -> router -> PIX -> Internet) only to end up with the exact same results.
So does anyone have a clue what exactly I'm doing wrong - or why PIX decides that ICMP packets over 992 bytes in size aren't to be trusted and neither a) responds to them b) passes them to the outside interface.
Thanks.
D.