Not getting Correct traceroute result after enabling PBR on ASA from other direction.

surajkumar77703 · ‎08-26-2020

Could anyone please help as while enabling the PBR on Cisco ASA, not getting the trace result from other direction.

I have set all the parameters like "set connection decrement-ttl" and allowed IP any any for testing on Firewall.

Below is the Topology:

R3 192.168.1.2--------192.168.1.1R1 10.1.1.2 -----(IN) 10.1.1.1Cisco ASA(Out)20.1.1.1 -------20.1.1.2 R2

I enabled the PBR having ip next-hop as 10.1.1.2. route map acl is for any and interface acl is also any.

While doing the traceroute from 10.1.1.2 I am getting the next hop as Firewall IP 10.1.1.1, ping is also OK.

While doing the traceroute from 192.168.1.2 I am getting next hop as 192.168.1.1 but no hops after that, ping is also working in this case. I checked the packet tracer result it looks good from both the sides. Also while doing traceroute I am getting asp drop for "ttl exceeded" and also "no adgency". Could anyone please explain why the firewall is showing this behaviour, also while putting the normal routes from Cisco ASA to R1 10.1.1.1 for destination 192.168.1.2 it works.

Why the PBR is not working properly in this case.

Mohammed al Baqari · ‎08-26-2020

Hi,

Exclude traceroute from your PBR ACL and it should work. Also, enable
inspect ICMP

**** please remember to rate useful posts

surajkumar77703 · ‎08-26-2020

Thanks Mohammed,

I tried the same deny traffic of traceroute and inspect icmp on PBR ACL but still no success. also when i put the inspect icmp then i loss the ping also asp drop i am getting continuous when traceroute.