Home
Certification Preparation
Cisco
CCNP
CCNP Security
Traceroute Question
marcusaureliusbrutus
Hi,
I am dumbfounded over this problem i have.
Whenever i do a traceroute using pingplotter (uses icmp not udp), i get replies from all devices in the path but not from the ASA and our perimeter router. I understand why the ASA doesn't show but i am confused why our perimeter router which is the next hop device after our ASA fails to show in the traceroute results. I connected a laptop to a switch which connectes to the perimter router and traceroute tests show it responding.
Checking the ASA i am able to verify the below:
1. ip inspect icmp and ip inspect icmp error is enabled globally on the ASA.
2. Applied ACL on outside interface allowing all ICMPs to inside.
3. Applied ACL on inside interface allowing all ICMPs to outside.
4. Traceroute from ASA shows perimter router replying.
I would really appreciate any help here.
Thanks in advance.
Find more posts tagged with
Comments
fightclub34
i think on the asa icmp are seperate access lists. i dont think you apply them on the interface acl, you apply it on the icmp acl
Sepiraph
On *nix systems, traceroute uses UDP instead of ICMP (which is used in Windows system), did you check you have open UDP ports on the ASA ? Also I think you can always log the deny ACL using the log-option, makes troubleshooting ACL easier.
Quick Links
All Categories
Recent Posts
Activity
Unanswered
Groups
Best Of
