Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
433
Views
0
Helpful
0
Replies

Windows ICMP tracert through vrf-aware NAT & ZBF

james.brunner
Level 1
Level 1

‎05-26-2021 04:09 AM

Hi all,

I've got an ISR4331 running 12.16.4 set up to be our office edge device running NAT overload to the ISP (using VRF-aware NAT) and ZBF inside-out with a match-any that includes UDP and ICMP (and other stuff above of course). It works perfectly for all users and they are happy bunnies.

A UDP traceroute from a *nix box to 8.8.8.8 works fine and passes via the core switch, through the ISR and off over the Internet. A check of the NAT translations and ZBF firewall-policy shows the expected results.

1 10.www.w.1 3 msec 2 msec 2 msec     <- Site's Core switch
2 10.www.w.4 1 msec 1 msec 1 msec     <- Site's ISR ZBF/NAT edge device 'inside interface'
3 xx.xxx.xxx.71 1 msec 1 msec 1 msec  <- Our ISP's Onsite Router
4 yy.yy.yy.1 3 msec 3 msec 4 msec
5 zz.zzz.zzz.222 8 msec 7 msec 5 msec
6 195.229.1.50 12 msec 17 msec 8 msec
7 195.229.4.51 8 msec 8 msec 6 msec
8 * * *
9 8.8.8.8 8 msec 7 msec 7 msec

Similarly, an Windows ICMP ping also works fine... but a Windows ICMP tracert seems to partly work and then stop.

Tracing route to 8.8.8.8 over a maximum of 30 hops

  1     7 ms     4 ms     3 ms  10.www.x.1         <- Site's Core switch
  2     3 ms     3 ms    16 ms  10.www.x.4         <- Site's ISR ZBF/NAT edge device 'inside interface'
  3     4 ms     3 ms     6 ms  xx.xxx.xxx.71      <- Our ISP's Onsite Router
  4     7 ms     *        *     yy.yy.yy.1
  5     *        *        *     Request timed out.
  6     *        *        *     Request timed out.
  7     *        *        *     Request timed out.
  8     *        *        *     Request timed out.
  9     *        *        *     Request timed out.
 10     7 ms     9 ms     6 ms  8.8.8.8

We get three replies from outside of the ISR (Hop 3) which is the ISP's site router and then one reply from the next device (Hop 4) before we get timeouts until the final reply from the target.

I have tried this on a number of similar devices/sites and they all get the same results - first hop outside the ISR gets three replies but the next hop gets one reply and then nothing more until the final destination replies.

I'm obviously missing something but I just can't put my finger on what it could be.

Any ideas gratefully received.... (except for replacing with an ASA which is not an option in this case!).

JB.

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card