Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6917
Views
0
Helpful
5
Replies

Traceroute on VPN client to internal IP - weird behaviour

Go to solution
Difan Zhao
Level 5
Level 5

‎03-29-2013 08:46 AM - edited ‎03-11-2019 06:21 PM

Hi experts,

I have configured the 5510 with RA IPSec VPN. The ASA is running code 8.4(5) . Everything works but the (windows) traceroute behaviour is strange. The number of replies (unreachable mesg) is consistent however they all appear to be from the target IP... Here is an example

c:\Users\xxx> tracert -d 10.80.0.11


Tracing route to 10.80.0.11 over a maximum of 30 hops

1     16ms     27ms     14ms  10.80.0.11

2     19ms     15ms     14ms  10.80.0.11

3     14ms     23ms     17ms  10.80.0.11

Trace complete

Then I logged in every routers/switches in the path and run debug ICMP. They are all sending the unreachable messages from their own IP address. I also confirmed this by capturing the packets on the ASA inside interface. It seems that the ASA somehow convert those IPs to the target IP. I think it is to protect the internal routing structure from the outside.. Anyway to disable this behaviour?

I have tried "set connection decrement-ttl" but doesn't help. I have also tried to add a nat "nat (outside,inside) source static VPN-SUBNET VPN-SUBNET" and that doesn't help either...

Thanks,

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

‎03-29-2013 04:31 PM

Hello,

Can you add the following command:

fixup protocol icmp-error

Clear local-host

And then let me know

If that don't do it then you are going to take a look at this:

CSCtj50797 - Traceroute to or through ASA always shows destination IP

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

‎03-29-2013 04:31 PM

Hello,

Can you add the following command:

fixup protocol icmp-error

Clear local-host

And then let me know

If that don't do it then you are going to take a look at this:

CSCtj50797 - Traceroute to or through ASA always shows destination IP

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
Difan Zhao
Level 5
Level 5
In response to Julio Carvajal

‎03-29-2013 06:01 PM

works like charm

Thanks!

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to Difan Zhao

‎03-29-2013 06:08 PM

Hello Difan,

My pleasure to hear,

Amazing to hear that the fixup protocol icmp-error did it

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
Difan Zhao
Level 5
Level 5
In response to Julio Carvajal

‎03-30-2013 10:17 PM

That command is automatically converted to

  inspect icmp error

under the default policy-map

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to Difan Zhao

‎03-31-2013 12:14 AM

Hello,

Exactly

But it's easier to add just that command instead of 3 right ?

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card