[c-nsp] Traceroute results masking path to destination

Randy Heimann heimannrj at gmail.com
Fri Feb 3 07:46:37 EST 2012


That looks exactly like what is happening to my traces.  I am sitting on the 'outside'.  Thanks for the link.

-Randy


-----Original Message-----
From: Peter Rathlev [mailto:peter at rathlev.dk] 
Sent: Thursday, February 02, 2012 7:43 PM
To: Randy Heimann
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Traceroute results masking path to destination

On Thu, 2012-02-02 at 14:39 +0100, Randy Heimann wrote:
> I am having some difficulty understanding some trace route results 
> that I am receiving from the network I am on.  If I tracert from my 
> location (France), the results are all masked with the destination 
> address (Google's public DNS).  I understand that something in the 
> network is substituting the actual hop address with the dest. address, 
> but I do not completely understand why this is happening or how it is being accomplished.

I seem to remember that some PIX/ASA firewalls would do this "inspect icmp error". Take a look at this:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml#trace

On an ASA 8.2 one seems to only be able to either hide the intermediate hops altogether or make them plain visible. I'm trying a traceroute from inside to outside, and the other way might be different. Maybe you're on the "outside" (lower security level) interface of a firewall in between you and 8.8.8.8. :-)

--
Peter






More information about the cisco-nsp mailing list