Packet analysis for ASA help

jeffkim.cisco · ‎01-18-2017

I traceroute from this VLAN to 8.8.8.8

After ASA, i get * * * * * *.

So i captured the packet.

I do have these in place.

class class-default
set connection decrement-ttl
user-statistics accounting

access-list out_in extended permit icmp any any

That out_in is applied to outside interface correctly.

Any ideas why traceroute is not working?

Please see the attachment for the picture

Pranay Prasoon · ‎01-18-2017

Please enable icmp error inspection in ASA and see if that helps.

jeffkim.cisco · ‎01-19-2017

it is there already.

policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect netbios
inspect tftp
inspect ip-options
inspect sip
inspect icmp
inspect icmp error

Pranay Prasoon · ‎01-19-2017

Hi,

Can you please tell in detail, how you are doing the test , inbound or outbound? What is the version of ASA and if possible attach the configuration, off course mangling the IP address

jeffkim.cisco · ‎01-19-2017

found out that from VLAN that is using dynamic NAT, traceroute is not working.

VLAN that using static NAT, traceroute is working.

Do you know why?

using Version 9.1(2)

Pranay Prasoon · ‎01-19-2017

Are you testing from windows PC? can you try some unix machine for traceroute.

I don't see a problem with configuration, but need to see what is going on

Pranay Prasoon · ‎01-19-2017

I saw your other post and you are giving a different picture. I guess even ping is not working from other interface. have you tested routing on ASA, if it can reach the network? Do you have proper NAT statement?

take bidirectional capture on ASA inside and otherside interface and see if you can see traffic in both direction.