Solved: traceroute through ASA

jackson.ku · ‎11-23-2012

Hi,

The network structure of my company is :

Server ( 172.22.2.1 ) - HQ L3 switch ( 172.22.51.41 ) - ASA firewall ( route mode without NAT, 172.16.52.2 ) - WAN router ( 172.16.51.101 ) - Branch office L3 switch ( 172.16.6.254 ) - PC ( 172.16.6.250 )

I tried to trace route from my PC, the result is :

C:\Documents and Settings\yang>tracert -d 172.22.2.1

Tracing route to 172.22.2.1 over a maximum of 30 hops

1    23 ms    <1 ms    <1 ms 172.16.6.254
2     4 ms     2 ms     2 ms 172.16.51.101
3    10 ms     9 ms     9 ms 172.22.51.41
4     9 ms     9 ms     9 ms 172.22.2.1

Trace complete.

The trace route result seems loss the ASA hop information. Please help to mention me what is the problem?

Best Regards,

Julio Carvajal · ‎11-23-2012

Hello Jackson,

By default the ASA will not decrement the TTL value of an IP packet ( so it will be somehow transparent {Security Purposes}) but this can be changed by doing the following:

configure te

policy-map global_policy

class class-default

set connection decrement-ttl

Regards,

Rate all of the helpful posts

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Riyasat Ali · ‎11-25-2012

in addition you need an access-list on outside interface :-

access-list outside permit udp any any gt 33434.