Options
Traceroute Question
marcusaureliusbrutus
Member Posts: 73 ■■□□□□□□□□
Hi,
I am dumbfounded over this problem i have.
Whenever i do a traceroute using pingplotter (uses icmp not udp), i get replies from all devices in the path but not from the ASA and our perimeter router. I understand why the ASA doesn't show but i am confused why our perimeter router which is the next hop device after our ASA fails to show in the traceroute results. I connected a laptop to a switch which connectes to the perimter router and traceroute tests show it responding.
Checking the ASA i am able to verify the below:
1. ip inspect icmp and ip inspect icmp error is enabled globally on the ASA.
2. Applied ACL on outside interface allowing all ICMPs to inside.
3. Applied ACL on inside interface allowing all ICMPs to outside.
4. Traceroute from ASA shows perimter router replying.
I would really appreciate any help here.
Thanks in advance.
I am dumbfounded over this problem i have.
Whenever i do a traceroute using pingplotter (uses icmp not udp), i get replies from all devices in the path but not from the ASA and our perimeter router. I understand why the ASA doesn't show but i am confused why our perimeter router which is the next hop device after our ASA fails to show in the traceroute results. I connected a laptop to a switch which connectes to the perimter router and traceroute tests show it responding.
Checking the ASA i am able to verify the below:
1. ip inspect icmp and ip inspect icmp error is enabled globally on the ASA.
2. Applied ACL on outside interface allowing all ICMPs to inside.
3. Applied ACL on inside interface allowing all ICMPs to outside.
4. Traceroute from ASA shows perimter router replying.
I would really appreciate any help here.
Thanks in advance.
Comments
-
Optionsfightclub34
Member Posts: 41 ■■□□□□□□□□
i think on the asa icmp are seperate access lists. i dont think you apply them on the interface acl, you apply it on the icmp acl
-
OptionsSepiraph
Member Posts: 179 ■■□□□□□□□□
On *nix systems, traceroute uses UDP instead of ICMP (which is used in Windows system), did you check you have open UDP ports on the ASA ? Also I think you can always log the deny ACL using the log-option, makes troubleshooting ACL easier.