Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2561
Views
0
Helpful
2
Replies

Tracert: Identical Hostname/IP Every Hop ?!?

Go to solution
SteAnnesIT
Level 1
Level 1

‎01-17-2013 01:58 PM - edited ‎03-11-2019 05:48 PM

Running an ASA5505.  Version 9.1.1.

I have the following in the configuration.. Using PAT (And some static NATs inside but not shown here).

object network obj_any

subnet 0.0.0.0 0.0.0.0

access-list outside_in extended permit icmp any any echo-reply

access-list outside_in extended permit icmp any any time-exceeded

object network obj_any

nat (inside,outside) dynamic interface

policy-map global_policy

class inspection_default

  inspect icmp

Ping is working just fine,  but when I run a tracert I get the most bizarre responses I've ever seen.  They all reply with the same hostname and ip address for every hop though the ping times seem to be working now (before I had nothing but asterisks until the final hop)..  

Here's an example:

Tracing route to yahoo.com [206.190.36.45]
over a maximum of 30 hops:

  1     1 ms    <1 ms    <1 ms  ir1.fp.vip.gq1.yahoo.com [206.190.36.45]
  2     4 ms     4 ms     4 ms  ir1.fp.vip.gq1.yahoo.com [206.190.36.45]
  3     5 ms     5 ms     5 ms  ir1.fp.vip.gq1.yahoo.com [206.190.36.45]
  4    65 ms    66 ms    63 ms  ir1.fp.vip.gq1.yahoo.com [206.190.36.45]
  5    67 ms    63 ms    63 ms  ir1.fp.vip.gq1.yahoo.com [206.190.36.45]
  6    63 ms    63 ms    63 ms  ir1.fp.vip.gq1.yahoo.com [206.190.36.45]
  7    62 ms    65 ms    63 ms  ir1.fp.vip.gq1.yahoo.com [206.190.36.45]
  8    62 ms    69 ms    62 ms  ir1.fp.vip.gq1.yahoo.com [206.190.36.45]
  9    67 ms    69 ms    67 ms  ir1.fp.vip.gq1.yahoo.com [206.190.36.45]
10    67 ms    68 ms    67 ms  ir1.fp.vip.gq1.yahoo.com [206.190.36.45]
11    68 ms   122 ms    67 ms  ir1.fp.vip.gq1.yahoo.com [206.190.36.45]
12    69 ms    75 ms    68 ms  ir1.fp.vip.gq1.yahoo.com [206.190.36.45]
13    68 ms    74 ms    74 ms  ir1.fp.vip.gq1.yahoo.com [206.190.36.45]
14   151 ms    97 ms    76 ms  ir1.fp.vip.gq1.yahoo.com [206.190.36.45]

Trace complete.

Is there any good reason for this happening from a (mostly) factory default ASA5505 config?   What is the point of a trace route that doesn't help you trace the route?  lol.. 

Any help would be great,  I don't use it everyday but tracert is a basic tool everyone should be able to use and right now mine is broken.

----EDIT to add my solution----

I basicly did (added) the following and tracert replies are looking better now:

policy-map global_policy

class inspection_default

inspect icmp error

class class-default

set connection decrement-ttl

access-list outside_in extended permit icmp any any unreachable

icmp unreachable rate-limit 10 burst-size 5

Thanks.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎01-17-2013 08:42 PM

You typically need to tweak an ASA config to allow traceroute to work through it. There are several threads covering this. See, for instance, this one:

https://supportforums.cisco.com/thread/2083669

Hope this helps.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎01-17-2013 08:42 PM

You typically need to tweak an ASA config to allow traceroute to work through it. There are several threads covering this. See, for instance, this one:

https://supportforums.cisco.com/thread/2083669

Hope this helps.

0 Helpful

Go to solution
Gerard Roy
Level 2
Level 2
In response to Marvin Rhoads

‎03-25-2019 09:57 PM

Broken Link!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card