01-17-2013 01:58 PM - edited 03-11-2019 05:48 PM
Running an ASA5505. Version 9.1.1.
I have the following in the configuration.. Using PAT (And some static NATs inside but not shown here).
object network obj_any
subnet 0.0.0.0 0.0.0.0
access-list outside_in extended permit icmp any any echo-reply
access-list outside_in extended permit icmp any any time-exceeded
object network obj_any
nat (inside,outside) dynamic interface
policy-map global_policy
class inspection_default
inspect icmp
Ping is working just fine, but when I run a tracert I get the most bizarre responses I've ever seen. They all reply with the same hostname and ip address for every hop though the ping times seem to be working now (before I had nothing but asterisks until the final hop)..
Here's an example:
Tracing route to yahoo.com [206.190.36.45]
over a maximum of 30 hops:
1 1 ms <1 ms <1 ms ir1.fp.vip.gq1.yahoo.com [206.190.36.45]
2 4 ms 4 ms 4 ms ir1.fp.vip.gq1.yahoo.com [206.190.36.45]
3 5 ms 5 ms 5 ms ir1.fp.vip.gq1.yahoo.com [206.190.36.45]
4 65 ms 66 ms 63 ms ir1.fp.vip.gq1.yahoo.com [206.190.36.45]
5 67 ms 63 ms 63 ms ir1.fp.vip.gq1.yahoo.com [206.190.36.45]
6 63 ms 63 ms 63 ms ir1.fp.vip.gq1.yahoo.com [206.190.36.45]
7 62 ms 65 ms 63 ms ir1.fp.vip.gq1.yahoo.com [206.190.36.45]
8 62 ms 69 ms 62 ms ir1.fp.vip.gq1.yahoo.com [206.190.36.45]
9 67 ms 69 ms 67 ms ir1.fp.vip.gq1.yahoo.com [206.190.36.45]
10 67 ms 68 ms 67 ms ir1.fp.vip.gq1.yahoo.com [206.190.36.45]
11 68 ms 122 ms 67 ms ir1.fp.vip.gq1.yahoo.com [206.190.36.45]
12 69 ms 75 ms 68 ms ir1.fp.vip.gq1.yahoo.com [206.190.36.45]
13 68 ms 74 ms 74 ms ir1.fp.vip.gq1.yahoo.com [206.190.36.45]
14 151 ms 97 ms 76 ms ir1.fp.vip.gq1.yahoo.com [206.190.36.45]
Trace complete.
Is there any good reason for this happening from a (mostly) factory default ASA5505 config? What is the point of a trace route that doesn't help you trace the route? lol..
Any help would be great, I don't use it everyday but tracert is a basic tool everyone should be able to use and right now mine is broken.
----EDIT to add my solution----
I basicly did (added) the following and tracert replies are looking better now:
policy-map global_policy
class inspection_default
inspect icmp error
class class-default
set connection decrement-ttl
access-list outside_in extended permit icmp any any unreachable
icmp unreachable rate-limit 10 burst-size 5
Thanks.
Solved! Go to Solution.
01-17-2013 08:42 PM
You typically need to tweak an ASA config to allow traceroute to work through it. There are several threads covering this. See, for instance, this one:
https://supportforums.cisco.com/thread/2083669
Hope this helps.
01-17-2013 08:42 PM
You typically need to tweak an ASA config to allow traceroute to work through it. There are several threads covering this. See, for instance, this one:
https://supportforums.cisco.com/thread/2083669
Hope this helps.
03-25-2019 09:57 PM
Broken Link!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide