Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

traceroute

Hi,

I was asked, why one hop doesn't show in the traceroute from Server1. Hop #2 supposed to show 192.168.2.1. Can share with me the explanation?

Server1
C:\>tracert -d 192.168.6.1

Tracing route to 192.168.6.1 over a maximum of 30 hops

1     3 ms     1 ms     2 ms    172.16.1.1
2     1 ms     2 ms     1 ms    192.168.3.1
3     53 ms    48 ms    50 ms   192.168.4.1
4     50 ms    69 ms    51 ms 192.168.5.1
5     50 ms    57 ms    50ms    192.168.6.1


Server2
C:\>tracert -d 192.168.6.1

Tracing route to 192.168.6.1 over a maximum of 30 hops

1     3 ms     2 ms     3 ms    10.1.1.1
2     3 ms     5 ms     2 ms    172.17.1.1
3     2 ms     2 ms     3 ms    192.168.2.1
4     2 ms     3 ms     3 ms    192.168.3.1
5     53 ms    48 ms    50 ms   192.168.4.1
6     50 ms    69 ms    51 ms 192.168.5.1
7     50 ms    57 ms    50ms    192.168.6.1

Server3
C:\>tracert -d 192.168.6.254

Tracing route to 192.168.6.254 over a maximum of 30 hops

1     3 ms     2 ms     3 ms    10.1.1.1
2     3 ms     5 ms     2 ms    172.17.1.1
3     2 ms     2 ms     3 ms    192.168.2.1
4     2 ms     3 ms     3 ms    192.168.3.1
5     53 ms    48 ms    50 ms   192.168.4.1
6     50 ms    69 ms    51 ms 192.168.5.1
7     50 ms    57 ms    50ms    192.168.6.254

Update: 172.16.1.1 and 172.17.1.1 are Cisco Firewalls while 192.168.2.1 is Juniper Firewall

TIA

Dandy

4 REPLIES
Bronze

Re: traceroute

Is the Juniper configured as a routed hop, or a layer 2 (Transparent) firewall.  If it's transparent, it wouldn't show.

Dan

Re: traceroute

Nope. Juniper is not configured as transparent hop as it is able to respond to Server 2 and Server 3 as hop 3.

Update: 172.16.1.1 and 172.17.1.1 are 2 security segments from the same Cisco ASA Firewall 8.0(3).

Hall of Fame Super Blue

Re: traceroute

Dandy

Don't know the answer but to start narrowing it down

1) are the servers running the same OS ?

2) is there any way you can get to 192.168.3.1 from server1 without going through 192.168.2.1 ?

Jon

Re: traceroute

Hi Jon,

Thanks.

I will enquire about your query. I have the diagram, I will post a lab version of the diagram here tomorrow.

I will also enquire what is the first hop for Server 2 (10.1.1.1) as they say that 172.17.1.1 is the same firewall as 172.16.1.1 (different interface).

I was trying to simulate the traceroute from my lab and can't get the same result.
- I tried simulating using STATIC NAT with assigned IP and OUTSIDE Interface IP, no luck.
- At first I thought it could be related to this http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml but this article is referring to internal behaviour of ASA. The behaviour that was shared to me is external to the ASA firewall.

It's an interesting behaviour which I want to find out what causes it

Btw, ASA Firewall is using 8.0(3) firmware and setup as Active/Standby

Best wishes,
Dandy

491
Views
0
Helpful
4
Replies