cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
971
Views
0
Helpful
4
Replies

traceroute

Danilo Dy
VIP Alumni
VIP Alumni

Hi,

I was asked, why one hop doesn't show in the traceroute from Server1. Hop #2 supposed to show 192.168.2.1. Can share with me the explanation?

Server1
C:\>tracert -d 192.168.6.1

Tracing route to 192.168.6.1 over a maximum of 30 hops

1     3 ms     1 ms     2 ms    172.16.1.1
2     1 ms     2 ms     1 ms    192.168.3.1
3     53 ms    48 ms    50 ms   192.168.4.1
4     50 ms    69 ms    51 ms 192.168.5.1
5     50 ms    57 ms    50ms    192.168.6.1


Server2
C:\>tracert -d 192.168.6.1

Tracing route to 192.168.6.1 over a maximum of 30 hops

1     3 ms     2 ms     3 ms    10.1.1.1
2     3 ms     5 ms     2 ms    172.17.1.1
3     2 ms     2 ms     3 ms    192.168.2.1
4     2 ms     3 ms     3 ms    192.168.3.1
5     53 ms    48 ms    50 ms   192.168.4.1
6     50 ms    69 ms    51 ms 192.168.5.1
7     50 ms    57 ms    50ms    192.168.6.1

Server3
C:\>tracert -d 192.168.6.254

Tracing route to 192.168.6.254 over a maximum of 30 hops

1     3 ms     2 ms     3 ms    10.1.1.1
2     3 ms     5 ms     2 ms    172.17.1.1
3     2 ms     2 ms     3 ms    192.168.2.1
4     2 ms     3 ms     3 ms    192.168.3.1
5     53 ms    48 ms    50 ms   192.168.4.1
6     50 ms    69 ms    51 ms 192.168.5.1
7     50 ms    57 ms    50ms    192.168.6.254

Update: 172.16.1.1 and 172.17.1.1 are Cisco Firewalls while 192.168.2.1 is Juniper Firewall

TIA

Dandy

4 Replies 4

danrya
Level 1
Level 1

Is the Juniper configured as a routed hop, or a layer 2 (Transparent) firewall.  If it's transparent, it wouldn't show.

Dan

Nope. Juniper is not configured as transparent hop as it is able to respond to Server 2 and Server 3 as hop 3.

Update: 172.16.1.1 and 172.17.1.1 are 2 security segments from the same Cisco ASA Firewall 8.0(3).

Jon Marshall
Hall of Fame
Hall of Fame

Dandy

Don't know the answer but to start narrowing it down

1) are the servers running the same OS ?

2) is there any way you can get to 192.168.3.1 from server1 without going through 192.168.2.1 ?

Jon

Hi Jon,

Thanks.

I will enquire about your query. I have the diagram, I will post a lab version of the diagram here tomorrow.

I will also enquire what is the first hop for Server 2 (10.1.1.1) as they say that 172.17.1.1 is the same firewall as 172.16.1.1 (different interface).

I was trying to simulate the traceroute from my lab and can't get the same result.
- I tried simulating using STATIC NAT with assigned IP and OUTSIDE Interface IP, no luck.
- At first I thought it could be related to this http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml but this article is referring to internal behaviour of ASA. The behaviour that was shared to me is external to the ASA firewall.

It's an interesting behaviour which I want to find out what causes it

Btw, ASA Firewall is using 8.0(3) firmware and setup as Active/Standby

Best wishes,
Dandy

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: