Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4437
Views
0
Helpful
1
Replies

Traceroute output do not show firewall as next-hop while firewall is connected by SVI from my core-SW

Go to solution
olly ahmed
Level 1
Level 1

‎11-12-2016 05:18 AM - edited ‎03-08-2019 08:08 AM

Hi all,

I have a question. In my production network I saw in a layer-3 switch there is configured a default route pointing towards next-hop ip (virtual IP of firewall inside) and the next-hop ip block is configured in a VLAN in the layer-3 switch. When I do trace I do not see the firewall ip address in the trace. Here you can tell that might be firewall is denying trace. But my observation is, if firewall is denying trace then I could see some timeout result for a hop in the trace path. But I did not see any timeout in the trace path rather I saw another IP address which is not the next-hop ip that we configured, it is the IP of a NIPS which is connected to outside interface of the firewall. Can anyone help to understand what is happening here ?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP

‎11-12-2016 09:06 AM

Which firewall are you using? If it's a Cisco ASA, it would be normal behavior as the ASA doesn't decrement the TTL by default. If you wan't to see the ASA in a traceroute, it can be enable with MPF.

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Karsten Iwen
VIP
VIP

‎11-12-2016 09:06 AM

Which firewall are you using? If it's a Cisco ASA, it would be normal behavior as the ASA doesn't decrement the TTL by default. If you wan't to see the ASA in a traceroute, it can be enable with MPF.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card