cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

7175
Views
10
Helpful
2
Replies
Highlighted
Participant

traceroute through ASA

Hi,

The network structure of my company is :

Server ( 172.22.2.1 ) - HQ L3 switch ( 172.22.51.41 ) - ASA firewall ( route mode without NAT, 172.16.52.2 ) - WAN router ( 172.16.51.101 ) - Branch office L3 switch ( 172.16.6.254 ) - PC ( 172.16.6.250 )

I tried to trace route from my PC, the result is :

C:\Documents and Settings\yang>tracert -d 172.22.2.1

Tracing route to 172.22.2.1 over a maximum of 30 hops

  1    23 ms    <1 ms    <1 ms  172.16.6.254
  2     4 ms     2 ms     2 ms  172.16.51.101
  3    10 ms     9 ms     9 ms  172.22.51.41
  4     9 ms     9 ms     9 ms  172.22.2.1

Trace complete.

The trace route result seems loss the ASA hop information. Please help to mention me what is the problem?

Best Regards,

2 ACCEPTED SOLUTIONS

Accepted Solutions
Highlighted

Hello Jackson,

By default the ASA will not decrement the TTL value of an IP packet ( so it will be somehow transparent {Security Purposes}) but this can be changed by doing the following:

configure te

  policy-map global_policy

  class class-default

  set connection decrement-ttl

Regards,

Rate all of the helpful posts

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Highlighted

in addition you need an access-list on outside interface :-

access-list outside permit udp any any gt 33434.

View solution in original post

2 REPLIES 2
Highlighted

Hello Jackson,

By default the ASA will not decrement the TTL value of an IP packet ( so it will be somehow transparent {Security Purposes}) but this can be changed by doing the following:

configure te

  policy-map global_policy

  class class-default

  set connection decrement-ttl

Regards,

Rate all of the helpful posts

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Highlighted

in addition you need an access-list on outside interface :-

access-list outside permit udp any any gt 33434.

View solution in original post

Content for Community-Ad