I've got an ISR4331 running 12.16.4 set up to be our office edge device running NAT overload to the ISP (using VRF-aware NAT) and ZBF inside-out with a match-any that includes UDP and ICMP (and other stuff above of course). It works perfectly for all users and they are happy bunnies.
A UDP traceroute from a *nix box to 22.214.171.124 works fine and passes via the core switch, through the ISR and off over the Internet. A check of the NAT translations and ZBF firewall-policy shows the expected results.
Similarly, an Windows ICMP ping also works fine... but a Windows ICMP tracert seems to partly work and then stop.
Tracing route to 126.96.36.199 over a maximum of 30 hops
1 7 ms 4 ms 3 ms 10.www.x.1 <- Site's Core switch
2 3 ms 3 ms 16 ms 10.www.x.4 <- Site's ISR ZBF/NAT edge device 'inside interface'
3 4 ms 3 ms 6 ms xx.xxx.xxx.71 <- Our ISP's Onsite Router
4 7 ms * * yy.yy.yy.1
5 * * * Request timed out.
6 * * * Request timed out.
7 * * * Request timed out.
8 * * * Request timed out.
9 * * * Request timed out.
10 7 ms 9 ms 6 ms 188.8.131.52
We get three replies from outside of the ISR (Hop 3) which is the ISP's site router and then one reply from the next device (Hop 4) before we get timeouts until the final reply from the target.
I have tried this on a number of similar devices/sites and they all get the same results - first hop outside the ISR gets three replies but the next hop gets one reply and then nothing more until the final destination replies.
I'm obviously missing something but I just can't put my finger on what it could be.
Any ideas gratefully received.... (except for replacing with an ASA which is not an option in this case!).
Cisco DNA Center version 2.2.2.x includes the features and improvements that
New intelligence provides an easy, gradual, and complete adoption of SD-Access. Faster Cisco DNA Center set-up saves time and effort.
When using Cisco cellular modules with a SIM card an APN must be provided. The APN cannot be stored in the SIM card and is supplied by your SIM card provider. Cisco cellular software contains a database of well-known APNs based on the country and ...
Cisco 3850: IOS-XE/Firmware Upgrade
This procedure is aimed at Cisco 3850 switch ONLY.
IOS-XE Bundle Mode is not covered.
9300, 9500 (vanilla & high-performance), ISR 1k, ISR 4k and ASR is not covered.
Listen: https://smarturl.it/CCRS8E46Follow us: twitter.com/ciscochampionsIt’s been several years since the release of Cisco DNA Center, and it’s matured into a complete network management system, an automation and orchestration engine, an AI/ML analy...
The 2021 IT Blog Awards, hosted by Cisco, is now open for submissions. Submit your blog, vlog or podcast today. For more information, including category details, the process, past winners and FAQs, check out: https://www.cisco.com/c/en/us/t...