I was running a TraceRoute to a remote server that goes through our new ASA5516x Firewalls, via a Private link to our Partner site, I know it is at least 5 hops in to reach this server, as we just migrated from our older 55xx EOL Firewalls, and could reach these servers. However, it appears that our ASA5516 is acting as a Proxy for the server, so I cannot "see" into the Partner network to assure the path is valid.
What configuration option do I need to change to stop the ASA5516 from responding for the remote servers/sites?
Tracing route to xxxx.xxxx.xx.site [xx.xx.xx.37]
over a maximum of 30 hops:
1 1 ms <1 ms <1 ms 1xx.x.x.1 <-- Core Router
2 <1 ms <1 ms <1 ms xxxx.xxxx.xx.site [xx.xx.xx.37] <--ASA5516 firewall
3 * * * Request timed out. <--same response to 30 hops
To permit return ICMP traffic to be permitted modify your ACL
access-list OUTSIDE_IN extended permit icmp any any time-exceeded
access-list OUTSIDE_IN extended permit icmp any any unreachable
To make the ASA appear as a hop in the traceroute you would need to decrement the ttl.
set connection decrement-ttl
Here is a guide for you with more information.
Thank you, but as we "Trust" the partner network, we already allow all ICMP from their networks back through our firewall.
The issue isn't return traffic, but the ASA responding FOR the Remote servers. (It shows valid Response and the "END Server" DNS resolution and IP on the Firewall Traceroute hop (second hop, not the 5th/6th hop where the Server actually resides!)).
I need to find how to make the firewall NOT proxy the end-response traceroute destination...