ā08-21-2023 09:44 PM
Hello all,
I have an issue regarding traceroute result "time out" passing through ASA to outside (public). I have two public ip addresses at ASA, one is assigned at outside interface which translate (NAT) for some networks (192.x.x.x/24). Another one (public ip) is not assigned at any interface but it works NAT for a network (172.x.x.x/24).
When i traceroute to public (eg: 8.8.8.8) from 192.x.x.x network, it is fine and no time out and complete trace. When i traceroute to public (eg: 8.8.8.8) from 172.x.x.x network, it got many time outs and also complete traceroute.
Thanks for any response.
ā08-21-2023 11:47 PM
- FYI : https://advanxer.com/2015/04/allowing-tracert-in-cisco-asa-firewall/
M.
ā08-22-2023 12:59 AM
I have tried with these, it does not work. thanks.
ā08-22-2023 01:46 AM
>...I have tried with these, it does not work. thanks.
- Then it could be a bug , try recent advisory software version for your ASA (if applicable)
M.
ā08-22-2023 12:30 AM
Do you have -inspect icmp error
is the Public IP different IP range configured on the Outside interface ?
can you post example traceroute output here ?
ā08-22-2023 12:58 AM
Two public ip addresses are the same range, one is assigned at Outside interface and another one is just for NAT ip. Below is screenshot for traceroute.
ā08-22-2023 01:00 AM
i have no inspect icmp error
ā08-22-2023 02:23 AM
May be try adding that command and also TTL expiry config.
Why there are many 172.X Hops before reaching NAT IP(public)?
Can you post the sucess one ? 192.X ?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide