Same IP multiple hops

Rolando Valenzuela · ‎12-17-2015

Hello Community

I have an interesting case and after reading this articles and some others, I'm not sure how to fix it.... For some reason for some IPs behind our firewall the trace route show multiple times the IP of the outside interface and I dont know how to fix it, I even try with the command "icmp deny any outside" and the trace and pings are still allowed.

Any idea?

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Behavior >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

Tracing route to 55.55.55.80 over a maximum of 30 hops

1     3 ms     2 ms     2 ms 172.31.201.254
2     3 ms     8 ms     9 ms 184.105.203.85
3     9 ms     8 ms     6 ms 216.66.78.114
4    14 ms    14 ms    14 ms 55.55.55.6
5    15 ms    16 ms    17 ms 55.55.55.6
6    14 ms    13 ms    14 ms 55.55.55.6
7    14 ms    14 ms    15 ms 55.55.55.6
8    14 ms    16 ms    14 ms 55.55.55.6
^C

Tracing route to 55.55.55.243 over a maximum of 30 hops

1     1 ms     1 ms     8 ms 172.31.201.254
2     4 ms     2 ms     2 ms 184.105.203.85
3    13 ms     3 ms     3 ms 216.66.78.114
4     *        *        *     Request timed out.
5    31 ms    14 ms    14 ms 55.55.55.243

Trace complete.

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> My configuration >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

icmp unreachable rate-limit 1 burst-size 1
!
policy-map global_policy
class inspection_default
inspect icmp
inspect icmp error
!
access-list interface_outside extended permit icmp any any source-quench
access-list interface_outside extended permit icmp any any unreachable
access-list interface_outside extended permit icmp any any time-exceeded
access-list interface_outside extended permit icmp any any echo-reply
access-list interface_outside extended permit icmp any any echo

Thanks.

Rolando Valenzuela.

Maykol Rojas · ‎12-18-2015

Hola Rolando;

Quick queston there, are the IPs you are seeing multiple times within the outside interface range? Ive seen this once or twice.

Let us know.

Mike.

Mike

Rolando Valenzuela · ‎12-18-2015

Good day Maykol!

Yes it is.

Rolando Valenzuela.

Maykol Rojas · ‎12-18-2015

Can you quickly double check the NAT rules associated with the IP address that is shown multiple times?

Mike.

Mike

Rolando Valenzuela · ‎12-18-2015

Not sure, if we are talking about the same, but here's the deal:

>>>>>>>>> Our configuration >>>>>>>>>

Internet --- Router --- Firewall

The router internet facing has the IP 55.55.55.6, while the firewall has 55.55.55.1 on the outside interface.

There a lot of things nated as .1 and some others as .50, .200, .80, etc etc but nothing as .6

Not sure how to answer your question but maybe this can help:

global (outside) 1 interface
global (outside) 3 55.55.55.50
global (outside) 5 55.55.55.46
global (outside) 6 55.55.55.18
global (outside) 7 55.55.55.155
global (outside) 8 55.55.55.37
global (inside) 4 55.55.55.50

nat (inside) 0 access-list nonat
nat (inside) 7 access-list proxy-outbound-nat
nat (inside) 8 access-list exchange-nat
nat (inside) 3 access-list custom-nat
nat (inside) 6 access-list DNS-out
nat (inside) 1 10.10.80.171 255.255.255.255
nat (inside) 1 10.10.80.180 255.255.255.255
nat (inside) 1 0.0.0.0 0.0.0.0

Thanks for all the help!

Rolando Valenzuela.

Maykol Rojas · ‎12-18-2015

It does help a lot.

Are you doing the traceroute from the inside network? Using the example you give at the very beginning, is 55.55.55.80 natted to something on your internal network?

Mike

Rolando Valenzuela · ‎12-18-2015

55.55.55.80 is nated to 10.34.4.11

access-list acl0 extended permit tcp any gt 1023 host 55.55.55.80 eq https
access-list acl0 extended permit tcp any gt 1023 host 55.55.55.80 eq www
static (inside,outside) tcp 55.55.55.80 https 10.34.4.11 12345 netmask 255.255.255.255

Yes, right now the traces are from the inside network, but I found out because a customer told me that odd behavior, so it seems it also happens from the outside, I not sure if is only when using a windows machine since I cannot reproduce using my cellphone with PingTools or with Ping.eu

Thanks again!

Rolando Valenzuela

Maykol Rojas · ‎12-18-2015

I have A theory, one being the fact that since it is not a 1 to 1 translation to a host on the inside, when the ICMP request gets to the router, it tries to forward it to the ASA and send itself as a hop, that for each attempt that the host does, nobody will respond to that packet (since the translation is for only layer 4 packets) so the host keeps trying and that would explain you see the same hop many times.

With UDP is different, since the packets

I think this is something fairly easy to reproduce, gonna take some time and sit and test around this.

Ohh by the way, Im sure this gets fixed by doing a one to one translation, something that may is not easy to do on most of environments.

Mike.

Mike

Rolando Valenzuela · ‎03-22-2016

Hi Maykol, sorry to bother you again after all this time, but i'm seeing this behavior in more than one firewall now :( any idea?