Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4147
Views
0
Helpful
1
Replies

TCP Traceroute

rakeshvelagala
Level 3
Level 3

‎05-21-2015 09:58 PM - edited ‎03-11-2019 10:58 PM

Hi All,

 

Say I have a setup as below

 

Host1--(inside)ASA(Outside)----R1(192.168.1.1)---R2(172.16.1.1)---R3(Host2)

 

We do a tcpping to the destination say to port 80.

We will know whether the host is alive as it will send an syn-ack to us.

 

Noe say I have done a tcptraceroute from Host1

 

So at the first hop after ASA, the router(R1) will still send an ICMP unreachable message, souced from Host1

 

But since firewall did not have the session initiated from host1 to R1, the icmp unreachable packet will be dropped?

 

Other than allwoing icmp unreachable through firewall, is there any other way? Kindly advise.

 

Thanks in advance.

Labels:
0 Helpful
1 Reply 1

Vibhor Amrodia
Cisco Employee
Cisco Employee

‎05-22-2015 03:54 AM

Hi,

The functionality of the trace route depends mainly on the ICMP unreachable messages and without this the trace route would never work.

You can refer to this document to get more information on how the ASA handles the trace route :-

http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/15246-31.html#intro

Thanks and Regards,

Vibhor Amrodia

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card