Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Friday, November 4, 2011 8:31 PM
hi all
i have a client with ip addr of 10.1.1.1. when i connect it to a router and i ping the outer interface of the router , ping TTL is 127
bt why when i deploy that server as NAT server , ping TTL is 126 ?
another question : what about router , when i tracert the outer interface of the router , the first line is always * * * * * ?
thanks in advance
All replies (1)
Saturday, November 5, 2011 6:45 PM âś…Answered
Ping TTL
The TTL is the Time To Live that a packet can exist for that maximum amount of time in seconds, on an IP network.
When a machine sends an ICMP packet (a "ping"), it sets a TTL on it. For example, I believe all Windows operating systems use 128 seconds. You can find your TTL by pinging 127.0.0.1.
Also, as a packet goes through a router (a "hop"), the TTL is decremented by 1 second. Each router will decrement it. So we can say the TTL is affected by the hop count (how many routers it went through. Once it reaches zero, a router will discard the packet, and an ICMP 'TTL Expired in transit' message is sent back to the sending IP Address. Otherwise, we would have packets from the 1990's still on the wire.
In addition, some hosts will respond by decrementing the packet by a larger factor. For example, when I ping a Linksys E4200 router, it decrements it by 64, so the resulting TTL in the response is 64. However, when I ping a Cisco ASA 5505, it resets the TTL in the response to 255.
What you are seeing, is when you ping from your machine, it's setting it to 128. Apparently pinging the outer NAT server's interface IP in route mode, is reducing it by 1. When you ping the same interface when set to NAT mode, it will reduce it by 2, due to the NAT translation being an extra hop.
Tracert
To respond to your Tracert question, if you are using tracert and you are getting any * * * *, that means one of serveral things.
- The IP in the hops the tracert is pinging is not allowing tracert
- The IP at your router/firewall is not allowing tracert
- Your local machine firewall is blocking tracert
FYI, to allow a ping response, you must allow "ICMP echo-response." However, there are multiple facets to ICMP, not just echo-response. ICMP echo response is just one part of the ICMP messaging features tracert uses. There are a total of four that need to be allowed by either your permieter filrewall, your machine, or all the hops between your machine and what you're running a tracert to.
In the example access list below, I am allowing ping and tracert responses through my Cisco ASA 5505 firewall. Besides the ASA series, these commands also work with all PIX series firewalls with IOS 5x or newer:
access-list 101 permit icmp any any unreachable
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any source-quench
More info on allowing tracert in a Cisco firewall:
https://supportforums.cisco.com/thread/227921
https://supportforums.cisco.com/thread/262353
Ace Fekay
MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php
This posting is provided AS-IS with no warranties or guarantees and confers no rights.