[c-nsp] Traceroute results masking path to destination

Peter Rathlev peter at rathlev.dk
Thu Feb 2 13:42:40 EST 2012


On Thu, 2012-02-02 at 14:39 +0100, Randy Heimann wrote:
> I am having some difficulty understanding some trace route results that I am
> receiving from the network I am on.  If I tracert from my location (France),
> the results are all masked with the destination address (Google's public
> DNS).  I understand that something in the network is substituting the actual
> hop address with the dest. address, but I do not completely understand why
> this is happening or how it is being accomplished.  

I seem to remember that some PIX/ASA firewalls would do this "inspect
icmp error". Take a look at this:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml#trace

On an ASA 8.2 one seems to only be able to either hide the intermediate
hops altogether or make them plain visible. I'm trying a traceroute from
inside to outside, and the other way might be different. Maybe you're on
the "outside" (lower security level) interface of a firewall in between
you and 8.8.8.8. :-)

-- 
Peter




More information about the cisco-nsp mailing list