01-04-2010 07:37 PM - edited 03-06-2019 09:09 AM
Hi,
I was asked, why one hop doesn't show in the traceroute from Server1. Hop #2 supposed to show 192.168.2.1. Can share with me the explanation?
Server1
C:\>tracert -d 192.168.6.1
Tracing route to 192.168.6.1 over a maximum of 30 hops
1 3 ms 1 ms 2 ms 172.16.1.1
2 1 ms 2 ms 1 ms 192.168.3.1
3 53 ms 48 ms 50 ms 192.168.4.1
4 50 ms 69 ms 51 ms 192.168.5.1
5 50 ms 57 ms 50ms 192.168.6.1
Server2
C:\>tracert -d 192.168.6.1
Tracing route to 192.168.6.1 over a maximum of 30 hops
1 3 ms 2 ms 3 ms 10.1.1.1
2 3 ms 5 ms 2 ms 172.17.1.1
3 2 ms 2 ms 3 ms 192.168.2.1
4 2 ms 3 ms 3 ms 192.168.3.1
5 53 ms 48 ms 50 ms 192.168.4.1
6 50 ms 69 ms 51 ms 192.168.5.1
7 50 ms 57 ms 50ms 192.168.6.1
Server3
C:\>tracert -d 192.168.6.254
Tracing route to 192.168.6.254 over a maximum of 30 hops
1 3 ms 2 ms 3 ms 10.1.1.1
2 3 ms 5 ms 2 ms 172.17.1.1
3 2 ms 2 ms 3 ms 192.168.2.1
4 2 ms 3 ms 3 ms 192.168.3.1
5 53 ms 48 ms 50 ms 192.168.4.1
6 50 ms 69 ms 51 ms 192.168.5.1
7 50 ms 57 ms 50ms 192.168.6.254
Update: 172.16.1.1 and 172.17.1.1 are Cisco Firewalls while 192.168.2.1 is Juniper Firewall
TIA
Dandy
01-04-2010 10:19 PM
Is the Juniper configured as a routed hop, or a layer 2 (Transparent) firewall. If it's transparent, it wouldn't show.
Dan
01-06-2010 04:17 AM
Nope. Juniper is not configured as transparent hop as it is able to respond to Server 2 and Server 3 as hop 3.
Update: 172.16.1.1 and 172.17.1.1 are 2 security segments from the same Cisco ASA Firewall 8.0(3).
01-06-2010 05:15 AM
Dandy
Don't know the answer but to start narrowing it down
1) are the servers running the same OS ?
2) is there any way you can get to 192.168.3.1 from server1 without going through 192.168.2.1 ?
Jon
01-06-2010 07:14 AM
Hi Jon,
Thanks.
I will enquire about your query. I have the diagram, I will post a lab version of the diagram here tomorrow.
I will also enquire what is the first hop for Server 2 (10.1.1.1) as they say that 172.17.1.1 is the same firewall as 172.16.1.1 (different interface).
I was trying to simulate the traceroute from my lab and can't get the same result.
- I tried simulating using STATIC NAT with assigned IP and OUTSIDE Interface IP, no luck.
- At first I thought it could be related to this http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml but this article is referring to internal behaviour of ASA. The behaviour that was shared to me is external to the ASA firewall.
It's an interesting behaviour which I want to find out what causes it
Btw, ASA Firewall is using 8.0(3) firmware and setup as Active/Standby
Best wishes,
Dandy
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: