Re: ASA not allowing trace

mohammedrafiq · ‎04-21-2009

Hi,

We have ASA5550 firwalling our LAN from internet,ICMP is open any any both way for test, but when we do trace to a public address on internet , ASA is not showing all the hops along the line. any idea ?

Regards,

andrew.prince · ‎04-21-2009

You need to configure the ASA to decrement the TTL in the traceroute - however there is a security advisory about this, the vulnerability is fixed in software version 7.2(3)6 or 8.0(3) and later.

HTH>

mohammedrafiq · ‎04-21-2009

Thanks Andy,

Can you send me an example.

Regards,

andrew.prince · ‎04-21-2009

Sure - try:-

!

policy-map global_policy

class class-default

set connection decrement-ttl

!

HTH>

mohammedrafiq · ‎04-21-2009

Andy,

We are not doing any Qos on ASA,is this the only way?

We are running verison 8.04 IOS.

Regards,

andrew.prince · ‎04-21-2009

That is not QoS configuration - it is amending the default policy that exists in the ASA.

There is no other way to configure the ASA to show itself as a hop in a trace route - the ASA will NOT decrement the TTL unless told to.

mohammedrafiq · ‎04-21-2009

Thanks Andy,

Can you send me an example.

Regards,

andrew.prince · ‎04-21-2009

see my previous post.