Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1681
Views
25
Helpful
8
Replies

Same IP multiple hops

Rolando Valenzuela
Level 4
Level 4

‎12-17-2015 02:19 PM - edited ‎03-12-2019 12:03 AM

Hello Community

I have an interesting case and after reading this articles and some others, I'm not sure how to fix it.... For some reason for some IPs behind our firewall the trace route show multiple times the IP of the outside interface and I dont know how to fix it, I even try with the command "icmp deny any outside" and the trace and pings are still allowed.

Any idea?

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Behavior >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

Tracing route to 55.55.55.80 over a maximum of 30 hops

  1     3 ms     2 ms     2 ms  172.31.201.254
  2     3 ms     8 ms     9 ms  184.105.203.85
  3     9 ms     8 ms     6 ms  216.66.78.114
  4    14 ms    14 ms    14 ms  55.55.55.6
  5    15 ms    16 ms    17 ms  55.55.55.6
  6    14 ms    13 ms    14 ms  55.55.55.6
  7    14 ms    14 ms    15 ms  55.55.55.6
  8    14 ms    16 ms    14 ms  55.55.55.6
^C


Tracing route to 55.55.55.243 over a maximum of 30 hops

  1     1 ms     1 ms     8 ms  172.31.201.254
  2     4 ms     2 ms     2 ms  184.105.203.85
  3    13 ms     3 ms     3 ms  216.66.78.114
  4     *        *        *     Request timed out.
  5    31 ms    14 ms    14 ms  55.55.55.243

Trace complete.

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> My configuration >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

icmp unreachable rate-limit 1 burst-size 1
!
policy-map global_policy
 class inspection_default
  inspect icmp
  inspect icmp error
!
access-list interface_outside extended permit icmp any any source-quench
access-list interface_outside extended permit icmp any any unreachable
access-list interface_outside extended permit icmp any any time-exceeded
access-list interface_outside extended permit icmp any any echo-reply
access-list interface_outside extended permit icmp any any echo

Thanks.

Rolando Valenzuela.

Labels:
0 Helpful
8 Replies 8

Maykol Rojas
Cisco Employee
Cisco Employee

‎12-18-2015 09:47 AM

Hola Rolando; 

Quick queston there, are the IPs you are seeing multiple times within the outside interface range? Ive seen this once or twice. 

Let us know. 

Mike. 

Mike

Rolando Valenzuela
Level 4
Level 4
In response to Maykol Rojas

‎12-18-2015 12:18 PM

Good day Maykol!

Yes it is.

Rolando Valenzuela.

0 Helpful

Maykol Rojas
Cisco Employee
Cisco Employee
In response to Rolando Valenzuela

‎12-18-2015 12:20 PM

Can you quickly double check the NAT rules associated with the IP address that is shown multiple times? 

Mike. 

Mike

Rolando Valenzuela
Level 4
Level 4
In response to Maykol Rojas

‎12-18-2015 12:34 PM

Not sure, if we are talking about the same, but here's the deal:

>>>>>>>>> Our configuration >>>>>>>>>

Internet --- Router --- Firewall

The router internet facing has the IP 55.55.55.6, while the firewall has 55.55.55.1 on the outside interface.

There a lot of things nated as .1 and some others as .50, .200, .80, etc etc but nothing as .6

Not sure how to answer your question but maybe this can help:

global (outside) 1 interface
global (outside) 3 55.55.55.50
global (outside) 5 55.55.55.46
global (outside) 6 55.55.55.18
global (outside) 7 55.55.55.155
global (outside) 8 55.55.55.37
global (inside) 4 55.55.55.50


nat (inside) 0 access-list nonat
nat (inside) 7 access-list proxy-outbound-nat
nat (inside) 8 access-list exchange-nat
nat (inside) 3 access-list custom-nat
nat (inside) 6 access-list DNS-out
nat (inside) 1 10.10.80.171 255.255.255.255
nat (inside) 1 10.10.80.180 255.255.255.255
nat (inside) 1 0.0.0.0 0.0.0.0

Thanks for all the help!

Rolando Valenzuela.

0 Helpful

Maykol Rojas
Cisco Employee
Cisco Employee
In response to Rolando Valenzuela

‎12-18-2015 12:43 PM

It does help a lot. 

Are you doing the traceroute from the inside network? Using the example you give at the very beginning, is 55.55.55.80 natted to something on your internal network? 

Mike

Rolando Valenzuela
Level 4
Level 4
In response to Maykol Rojas

‎12-18-2015 12:59 PM

55.55.55.80 is nated to 10.34.4.11

access-list acl0 extended permit tcp any gt 1023 host 55.55.55.80 eq https
access-list acl0 extended permit tcp any gt 1023 host 55.55.55.80 eq www
static (inside,outside) tcp 55.55.55.80 https 10.34.4.11 12345 netmask 255.255.255.255

Yes, right now the traces are from the inside network, but I found out because a customer told me that odd behavior, so it seems it also happens from the outside, I not sure if is only when using a windows machine since I cannot reproduce using my cellphone with PingTools or with Ping.eu

Thanks again!

Rolando Valenzuela

0 Helpful

Maykol Rojas
Cisco Employee
Cisco Employee
In response to Rolando Valenzuela

‎12-18-2015 01:57 PM

I have A theory, one being the fact that since it is not a 1 to 1 translation to a host on the inside, when the ICMP request gets to the router, it tries to forward it to the ASA and send itself as a hop, that for each attempt that the host does, nobody will respond to that packet (since the translation is for only layer 4 packets) so the host keeps trying and that would explain you see the same hop many times. 

With UDP is different, since the packets 

I think this is something fairly easy to reproduce, gonna take some time and sit and test around this. 

Ohh by the way, Im sure this gets fixed by doing a one to one translation, something that may is not easy to do on most of environments. 

Mike. 

Mike

Rolando Valenzuela
Level 4
Level 4
In response to Maykol Rojas

‎03-22-2016 06:52 AM

Hi Maykol, sorry to bother you again after all this time, but i'm seeing this behavior in more than one firewall now :( any idea?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card