Can the USG firewall be traversed by the tracert command?


1. Tracert firewall itself
Need to release the ICMP or UDP packet filtering to the local area of the firewall. If Tracert uses ICMP packets, you need to run the ip unreachables enable command to enable sending of ICU destination unreachable packets.

2. Tracert is forwarded through the firewall
A. Release the ICMP or UDP packet filtering through the firewall.
B. Configure the ICMP timeout packet function (command: ip ttl-expires enable).
C. Disable the Tracert packet attack defense function (command: undo firewall defend tracert enable).

The UDP port used by the Tracert protocol is: first hop 33434, second hop 33435, third jump 33436 ... and so on (the algorithm is 33434 + N-1 where N is the hop count).

Other related questions:
How does the USG firewall use the tracert command?
USG2000 & 5000 & 6000 Use the tracert command as follows: Run the tracert command on the client to detect where the network has failed. E.g: The following is an example of applying tracert to analyze the network. Tracert Traceroute to (, 30 hops max, 56 byte packet 1 19 ms 19 ms 0 ms 2 39 ms 39 ms 19 ms 3 39 ms 40 ms 39 ms 4 39 ms 39 ms 39 ms 5 40 ms 59 ms 59 ms 6 59 ms 59 ms 59 ms 7 99 ms 99 ms 80 ms 8 139 ms 239 ms 319 ms 9 220 ms 199 ms 199 ms 10 239 ms 239 ms 239 ms From the above results can be seen from the source to reach the destination through the gateway IP address. If the middle of a gateway timeout, it will return "***" information, according to this information to locate the location of the failure.

What if the firewall's IP address is not displayed when using tracert
You can run the ip ttl-expires enable command. After receiving the ICMP packet with the TTL being 0 from the Windows host, the firewall replies with a timeout packet. Then, the IP address of the firewall will be displayed on the Windows host.

Firewall NAT traversal
NAT traversal on the USG What is IPSec NAT traversal? When a NAT device is deployed between IPSec peers, NAT traversal must be enabled at both ends. Authentication Header (AH) hashes the entire IP packet (including the IP address in the IP header) to authenticate data integrity. If NAT is deployed, the IP address changes after NAT, and the hash values will also change, causing an authentication failure. Therefore, the IPSec tunnel that uses AH cannot traverse the NAT gateway. Encapsulating Security Payload (ESP) hashes the payload only. Therefore, IP address changes will not affect the ESP authentication. ESP is a Layer 3 protocol that has no port. Therefore, ESP cannot apply to Network Address Port Translation (NAPT). To resolve this issue, NAT traversal adds a UDP header to the ESP packet. In transport mode, a standard UDP header is inserted between the IP header of the original packet and the ESP header. In tunnel mode, a standard UDP header is inserted between the new IP header and the ESP header. When an ESP packet traverses a NAT device, the NAT device translates the IP address in the outer IP header and the port in the UDP header. The peer end of the IPSec tunnel processes the translated packet as a common IPSec packet. A UDP header is also inserted between the IP header and the ESP header of the reply packet.

Port used in firewall NAT traversal
Ports that shall be enabled when IPSec NAT traversal is used on the USG: Destination UDP ports 500 and 4500. If no NAT device is deployed, use port 500. If any NAT device is deployed, use port 4500. Port 51 for IP packets using the AH protocol and port 50 for IP packets using the ESP protocols.

Configuring IPSec NAT traversal on the USG
Run the nat traversal command on the IKE peers at the two sides of the gateway to implement IPSec NAT traversal.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top