Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
9317
Views
10
Helpful
2
Replies

traceroute through ASA

Go to solution
jackson.ku
Level 3
Level 3

‎11-23-2012 12:25 PM - edited ‎03-11-2019 05:27 PM

Hi,

The network structure of my company is :

Server ( 172.22.2.1 ) - HQ L3 switch ( 172.22.51.41 ) - ASA firewall ( route mode without NAT, 172.16.52.2 ) - WAN router ( 172.16.51.101 ) - Branch office L3 switch ( 172.16.6.254 ) - PC ( 172.16.6.250 )

I tried to trace route from my PC, the result is :

C:\Documents and Settings\yang>tracert -d 172.22.2.1

Tracing route to 172.22.2.1 over a maximum of 30 hops

  1    23 ms    <1 ms    <1 ms  172.16.6.254
  2     4 ms     2 ms     2 ms  172.16.51.101
  3    10 ms     9 ms     9 ms  172.22.51.41
  4     9 ms     9 ms     9 ms  172.22.2.1

Trace complete.

The trace route result seems loss the ASA hop information. Please help to mention me what is the problem?

Best Regards,

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

‎11-23-2012 12:43 PM

Hello Jackson,

By default the ASA will not decrement the TTL value of an IP packet ( so it will be somehow transparent {Security Purposes}) but this can be changed by doing the following:

configure te

  policy-map global_policy

  class class-default

  set connection decrement-ttl

Regards,

Rate all of the helpful posts

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Go to solution
Riyasat Ali
Level 1
Level 1
In response to Julio Carvajal

‎11-25-2012 02:38 AM

in addition you need an access-list on outside interface :-

access-list outside permit udp any any gt 33434.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

‎11-23-2012 12:43 PM

Hello Jackson,

By default the ASA will not decrement the TTL value of an IP packet ( so it will be somehow transparent {Security Purposes}) but this can be changed by doing the following:

configure te

  policy-map global_policy

  class class-default

  set connection decrement-ttl

Regards,

Rate all of the helpful posts

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Go to solution
Riyasat Ali
Level 1
Level 1
In response to Julio Carvajal

‎11-25-2012 02:38 AM

in addition you need an access-list on outside interface :-

access-list outside permit udp any any gt 33434.

0 Helpful
Review Cisco Networking for a $25 gift card
Top