https://community.cisco.com/t5/network-security/traceroute-between-two-asa/m-p/2048674#M402697 <P>Hey Gents/ladies</P><P></P><P>We have a ASA 5505 and a 5510, that we are using site to site..</P><P>I need to traceroute from the 5505-5510.. From the outside interfaces.. Don't want to do this through the site-to-site.</P><P>If you know what i mean..</P><P></P><P>I have temporarily added a few acl on the outside interfaces..</P><P></P><P>access-list outside_in extended permit icmp any any unreachable</P><P>access-list outside_in extended permit icmp any any time-exceeded</P><P>access-list outside_in extended permit icmp any any echo-reply</P><P></P><P></P><P></P><P>access-group outside_in in interface outside</P><P></P><P></P><P>when i traceroute it only goes one hop.. Maybe thats the way it suppose to be?</P><P></P><P>I need to know all the hops between the outside interfaces on the 5505 to the outside interface on the 5510..</P><P>Is it possible? <SPAN __jive_emoticon_name="happy"></SPAN></P><P></P><P>Thanks</P> Tue, 12 Mar 2019 00:09:54 GMT Shane Riley 2019-03-12T00:09:54Z https://community.cisco.com/t5/network-security/traceroute-between-two-asa/m-p/2048674#M402697 <P>Hey Gents/ladies</P><P></P><P>We have a ASA 5505 and a 5510, that we are using site to site..</P><P>I need to traceroute from the 5505-5510.. From the outside interfaces.. Don't want to do this through the site-to-site.</P><P>If you know what i mean..</P><P></P><P>I have temporarily added a few acl on the outside interfaces..</P><P></P><P>access-list outside_in extended permit icmp any any unreachable</P><P>access-list outside_in extended permit icmp any any time-exceeded</P><P>access-list outside_in extended permit icmp any any echo-reply</P><P></P><P></P><P></P><P>access-group outside_in in interface outside</P><P></P><P></P><P>when i traceroute it only goes one hop.. Maybe thats the way it suppose to be?</P><P></P><P>I need to know all the hops between the outside interfaces on the 5505 to the outside interface on the 5510..</P><P>Is it possible? <SPAN __jive_emoticon_name="happy"></SPAN></P><P></P><P>Thanks</P> Tue, 12 Mar 2019 00:09:54 GMT https://community.cisco.com/t5/network-security/traceroute-between-two-asa/m-p/2048674#M402697 Shane Riley 2019-03-12T00:09:54Z https://community.cisco.com/t5/network-security/traceroute-between-two-asa/m-p/2048675#M402698 <HTML><HEAD></HEAD><BODY><P>If you are traceroute between the 2 outside interfaces of the ASA, then you don't need to configure any ACL on the ASA.</P><P>And yes, it is definitely possible unless your ISP is blocking traceroute.</P><P></P><P>Did you try traceroute from both ends and both only goes up one hop?</P><P>Do you happen to use the same ISP on both ends?</P></BODY></HTML> Tue, 16 Oct 2012 11:23:22 GMT https://community.cisco.com/t5/network-security/traceroute-between-two-asa/m-p/2048675#M402698 Jennifer Halim 2012-10-16T11:23:22Z https://community.cisco.com/t5/network-security/traceroute-between-two-asa/m-p/2048676#M402699 <HTML><HEAD></HEAD><BODY><P>Oh right didn't know <SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/4.5.4/images/emoticons/happy.gif"></SPAN></P><P></P><P>Yeah did it from both ends, also from a server on one of the dmz IP..</P><P></P><P>But probably the problem is that its from the same ISP?</P><P></P><P>/Shane</P></BODY></HTML> Tue, 16 Oct 2012 11:51:52 GMT https://community.cisco.com/t5/network-security/traceroute-between-two-asa/m-p/2048676#M402699 Shane Riley 2012-10-16T11:51:52Z https://community.cisco.com/t5/network-security/traceroute-between-two-asa/m-p/2048677#M402700 <HTML><HEAD></HEAD><BODY><P>Have you tried to traceroute to something on the internet and see if that works? Just try to traceroute to 4.2.2.2</P></BODY></HTML> Tue, 16 Oct 2012 11:54:28 GMT https://community.cisco.com/t5/network-security/traceroute-between-two-asa/m-p/2048677#M402700 Jennifer Halim 2012-10-16T11:54:28Z https://community.cisco.com/t5/network-security/traceroute-between-two-asa/m-p/2048678#M402701 <HTML><HEAD></HEAD><BODY><P>Yes i tried from the asa 5510 source (outside interface) and it works fine <SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/4.5.4/images/emoticons/happy.gif"></SPAN> </P><P></P><P>But the trick is to find the route from the 5510 to the 5505.. <SPAN __jive_emoticon_name="confused" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/4.5.4/images/tiny_mce3/plugins/jiveemoticons/images/spacer.gif"></SPAN></P><P></P><P>I'll try to connect my computer from a ip thats not connected to the firewall but's still located on the same ISP ip range...</P><P>Maybe i am on the wrong track...</P><P></P><P>/Shane&nbsp;&nbsp;&nbsp;&nbsp; </P></BODY></HTML> Tue, 16 Oct 2012 12:04:39 GMT https://community.cisco.com/t5/network-security/traceroute-between-two-asa/m-p/2048678#M402701 Shane Riley 2012-10-16T12:04:39Z https://community.cisco.com/t5/network-security/traceroute-between-two-asa/m-p/2048679#M402702 <HTML><HEAD></HEAD><BODY><P>Ahh, try this: from ASA5510 can you traceroute to the ASA5505 default gateway, and vice versa?</P></BODY></HTML> Tue, 16 Oct 2012 12:14:26 GMT https://community.cisco.com/t5/network-security/traceroute-between-two-asa/m-p/2048679#M402702 Jennifer Halim 2012-10-16T12:14:26Z https://community.cisco.com/t5/network-security/traceroute-between-two-asa/m-p/2048680#M402703 <HTML><HEAD></HEAD><BODY><P>This is from the 5505 traceroute to the default gateway of the 5510...same results when i trry tio traceroute to the 4.2.2.2 from the 5505</P><P></P><P>KAKORTGW01# traceroute x.x.x.x source outside</P><P></P><P>Type escape sequence to abort.</P><P>Tracing the route to x.x.x.x</P><P></P><P> 1&nbsp;&nbsp; *&nbsp; *&nbsp; *</P><P> 2&nbsp;&nbsp; *&nbsp; *&nbsp; *</P><P> 3&nbsp;&nbsp; *&nbsp; *&nbsp; *</P><P> 4&nbsp;&nbsp; *&nbsp; *&nbsp; *</P><P> 5&nbsp;&nbsp; *&nbsp; *&nbsp; *</P><P> 6&nbsp;&nbsp; *&nbsp; *&nbsp; *</P><P> 7&nbsp;&nbsp; *&nbsp; *&nbsp; *</P><P> 8&nbsp;&nbsp; *&nbsp; *&nbsp; *</P><P> 9&nbsp;&nbsp; *&nbsp; *&nbsp; *</P><P> 10&nbsp; *&nbsp; *&nbsp; *</P><P> 11&nbsp; *&nbsp; *&nbsp; *</P><P> 12&nbsp; *&nbsp; *&nbsp; *</P><P> 13&nbsp; *&nbsp; *&nbsp; *</P><P> 14&nbsp; *&nbsp; *&nbsp; *</P><P> 15&nbsp; *&nbsp; *&nbsp; *</P><P> 16&nbsp; *&nbsp; *&nbsp; *</P><P></P><P>I don't know the default gateway of the 5505, the outside interface is configured to get the ip from dhcp..So i can't try from the 5510 to the default gateway of the 5505. <SPAN __jive_emoticon_name="plain" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/4.5.4/images/tiny_mce3/plugins/jiveemoticons/images/spacer.gif"></SPAN></P></BODY></HTML> Tue, 16 Oct 2012 12:49:19 GMT https://community.cisco.com/t5/network-security/traceroute-between-two-asa/m-p/2048680#M402703 Shane Riley 2012-10-16T12:49:19Z https://community.cisco.com/t5/network-security/traceroute-between-two-asa/m-p/2048681#M402704 <HTML><HEAD></HEAD><BODY><P>So you can traceroute to 4.2.2.2 from 5510, but not from 5505?</P><P></P><P>You can check the default gateway of 5505 by checking the route: show route</P></BODY></HTML> Tue, 16 Oct 2012 12:52:03 GMT https://community.cisco.com/t5/network-security/traceroute-between-two-asa/m-p/2048681#M402704 Jennifer Halim 2012-10-16T12:52:03Z https://community.cisco.com/t5/network-security/traceroute-between-two-asa/m-p/2048682#M402705 <HTML><HEAD></HEAD><BODY><P>Oh damn i feel stupid,&nbsp; forgot about that command.. that was easy <SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/4.5.4/images/emoticons/happy.gif"></SPAN> Thanks really appreciate your help..</P><P></P><P>yes exactly i can traceroute to 4.2.2.2 form the 5510 but not from the 5505</P><P></P><P></P><P>Traceroute from the 5510 to the 5505s default gateway is 8 hops <SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/4.5.4/images/tiny_mce3/plugins/jiveemoticons/images/spacer.gif"></SPAN></P></BODY></HTML> Tue, 16 Oct 2012 12:57:52 GMT https://community.cisco.com/t5/network-security/traceroute-between-two-asa/m-p/2048682#M402705 Shane Riley 2012-10-16T12:57:52Z https://community.cisco.com/t5/network-security/traceroute-between-two-asa/m-p/2048683#M402706 <HTML><HEAD></HEAD><BODY><P>Something weird happening on the 5505 end. I would check with the ISP.</P></BODY></HTML> Tue, 16 Oct 2012 13:17:50 GMT https://community.cisco.com/t5/network-security/traceroute-between-two-asa/m-p/2048683#M402706 Jennifer Halim 2012-10-16T13:17:50Z https://community.cisco.com/t5/network-security/traceroute-between-two-asa/m-p/2048684#M402707 <HTML><HEAD></HEAD><BODY><P>Well maybe it has something to do with the 5505, it has easy vpn enabled, i just saw that now <SPAN __jive_emoticon_name="sad" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/4.5.4/images/emoticons/sad.gif"></SPAN> vpnclient server is the ip address of the 5510.. Don't know how the easy vpn works exactly..</P></BODY></HTML> Tue, 16 Oct 2012 13:53:47 GMT https://community.cisco.com/t5/network-security/traceroute-between-two-asa/m-p/2048684#M402707 Shane Riley 2012-10-16T13:53:47Z https://community.cisco.com/t5/network-security/traceroute-between-two-asa/m-p/2048685#M402708 <HTML><HEAD></HEAD><BODY><P>Ahh, no wonder.</P><P>Easy vpn, it really depends on which mode it's on and also if split tunneling is configured or not.</P><P>It most probably sends everything through the VPN tunnel towards the 5510.</P><P>You can temporarily disable the easy vpn, and perform the traceroute, and re-enable it.</P></BODY></HTML> Tue, 16 Oct 2012 14:04:30 GMT https://community.cisco.com/t5/network-security/traceroute-between-two-asa/m-p/2048685#M402708 Jennifer Halim 2012-10-16T14:04:30Z https://community.cisco.com/t5/network-security/traceroute-between-two-asa/m-p/2048686#M402709 <HTML><HEAD></HEAD><BODY><P>Alright i try to disable the easy vpn and perform the traceroute and see <SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/4.5.4/images/emoticons/happy.gif"></SPAN></P><P>I'll get back to you in a bit..</P><P></P><P>Thanks</P><P>Shane</P></BODY></HTML> Tue, 16 Oct 2012 14:13:17 GMT https://community.cisco.com/t5/network-security/traceroute-between-two-asa/m-p/2048686#M402709 Shane Riley 2012-10-16T14:13:17Z