Traceroute Between two ASA

Shane Riley · ‎10-16-2012

Hey Gents/ladies

We have a ASA 5505 and a 5510, that we are using site to site..

I need to traceroute from the 5505-5510.. From the outside interfaces.. Don't want to do this through the site-to-site.

If you know what i mean..

I have temporarily added a few acl on the outside interfaces..

access-list outside_in extended permit icmp any any unreachable

access-list outside_in extended permit icmp any any time-exceeded

access-list outside_in extended permit icmp any any echo-reply

access-group outside_in in interface outside

when i traceroute it only goes one hop.. Maybe thats the way it suppose to be?

I need to know all the hops between the outside interfaces on the 5505 to the outside interface on the 5510..

Is it possible?

Thanks

Jennifer Halim · ‎10-16-2012

If you are traceroute between the 2 outside interfaces of the ASA, then you don't need to configure any ACL on the ASA.

And yes, it is definitely possible unless your ISP is blocking traceroute.

Did you try traceroute from both ends and both only goes up one hop?

Do you happen to use the same ISP on both ends?

Shane Riley · ‎10-16-2012

Oh right didn't know

Yeah did it from both ends, also from a server on one of the dmz IP..

But probably the problem is that its from the same ISP?

/Shane

Jennifer Halim · ‎10-16-2012

Have you tried to traceroute to something on the internet and see if that works? Just try to traceroute to 4.2.2.2

Shane Riley · ‎10-16-2012

Yes i tried from the asa 5510 source (outside interface) and it works fine

But the trick is to find the route from the 5510 to the 5505..

I'll try to connect my computer from a ip thats not connected to the firewall but's still located on the same ISP ip range...

Maybe i am on the wrong track...

/Shane

Jennifer Halim · ‎10-16-2012

Ahh, try this: from ASA5510 can you traceroute to the ASA5505 default gateway, and vice versa?

Shane Riley · ‎10-16-2012

This is from the 5505 traceroute to the default gateway of the 5510...same results when i trry tio traceroute to the 4.2.2.2 from the 5505

KAKORTGW01# traceroute x.x.x.x source outside

Type escape sequence to abort.

Tracing the route to x.x.x.x

1 * * *

2 * * *

3 * * *

4 * * *

5 * * *

6 * * *

7 * * *

8 * * *

9 * * *

10 * * *

11 * * *

12 * * *

13 * * *

14 * * *

15 * * *

16 * * *

I don't know the default gateway of the 5505, the outside interface is configured to get the ip from dhcp..So i can't try from the 5510 to the default gateway of the 5505.

Jennifer Halim · ‎10-16-2012

So you can traceroute to 4.2.2.2 from 5510, but not from 5505?

You can check the default gateway of 5505 by checking the route: show route

Shane Riley · ‎10-16-2012

Oh damn i feel stupid, forgot about that command.. that was easy Thanks really appreciate your help..

yes exactly i can traceroute to 4.2.2.2 form the 5510 but not from the 5505

Traceroute from the 5510 to the 5505s default gateway is 8 hops

Jennifer Halim · ‎10-16-2012

Something weird happening on the 5505 end. I would check with the ISP.

Shane Riley · ‎10-16-2012

Well maybe it has something to do with the 5505, it has easy vpn enabled, i just saw that now vpnclient server is the ip address of the 5510.. Don't know how the easy vpn works exactly..

Jennifer Halim · ‎10-16-2012

Ahh, no wonder.

Easy vpn, it really depends on which mode it's on and also if split tunneling is configured or not.

It most probably sends everything through the VPN tunnel towards the 5510.

You can temporarily disable the easy vpn, and perform the traceroute, and re-enable it.

Shane Riley · ‎10-16-2012

Alright i try to disable the easy vpn and perform the traceroute and see

I'll get back to you in a bit..

Thanks

Shane