Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8262
Views
0
Helpful
7
Replies

Tracert results always showns same IP on ASA

ktwaddell
Level 1
Level 1

‎11-24-2011 05:59 AM - edited ‎03-11-2019 02:54 PM

Hi

I have a ASA 5505 as a default gateway to a network, whenever I tracert to outside it shows every hop ip address as the ip address I'm trying to get too, quick example

lets say I'm in a 192.168.0.0/25 network but I want to trace to 10.10.10.10

tracert 10.10.10.10

1 4ms   5ms   6ms  10.10.10.10

2 7ms 8ms 9ms 10.10.10.10

3 *

4*

5*

6 20MS 20MS 20ms 10.10.10.10

get me?

any ideas on why the asa is doing it?

Thanks

Kev

Labels:
0 Helpful
7 Replies 7

Diego Armando Cambronero Arias
Level 3
Level 3

‎11-24-2011 06:57 AM

I have never seeing such a behavior. I would try to enable icmp error inspection and maybe decrement ttl

0 Helpful

ktwaddell
Level 1
Level 1
In response to Diego Armando Cambronero Arias

‎11-24-2011 08:59 AM

Hi

ok great I'll look that up and give it try tomorrow

Cheers

Kev

0 Helpful

anksachd
Level 1
Level 1
In response to ktwaddell

‎11-24-2011 04:12 PM

Hi Kev,

For Outbound traceroute to work through ASA , folllowing needs to be configured :

policy-map global_policy

class inspection_default

    inspect icmp

    inspect icmp error

access-list out  extended permit icmp any any time-exceeded

access-list out  extended permit icmp any any unreachable

access-group out in interface outside

If you want to see ASA as a hop in the traceroute output :

ciscoasa(config)#policy-map global_policy

ciscoasa(config-pmap)#class class-default

ciscoasa(config-pmap-c)#set connection decrement-ttl

ciscoasa(config)#icmp unreachable rate-limit 10 burst-size 5

Regards

Ankur

0 Helpful

ktwaddell
Level 1
Level 1
In response to anksachd

‎11-24-2011 11:39 PM

Hiya

That didn't work sadly, I got less replys but they were still all showing as the IP address I want to get too. I've just checked checked and I get the very same thing on my other ASA as well.

ok why can I insert, an image, video, url but not the config!!

how do I put a config on here??

too early for this

0 Helpful

mirober2
Cisco Employee
Cisco Employee
In response to ktwaddell

‎11-26-2011 10:44 AM

Hi Kev,

Is the ASA running an 8.3 or 8.4 version of software? If so, this is caused by the following bug:

CSCtj50797 - Traceroute to or through ASA always shows destination IP

The bug is fixed in 8.3.2 and 8.4.1 and higher.

-Mike

0 Helpful

ktwaddell
Level 1
Level 1
In response to mirober2

‎11-27-2011 11:35 PM

Morning All

Well that is spot the issue I'm having, i have 3 ASA's 2 with the same issue and 1 working fine, ios below

not working correctly

5505 8.4(2)

5510 8.4(1)

working fine

5510 8.2(1)

Cheers

Kev

0 Helpful

DaveNoonan26775
Level 1
Level 1

‎04-28-2021 07:22 AM

I know this is ancient but it shows up in search results.

Someone else on CCO said that the issue was a no-nat statement with Any as the source interface.  I have inside-outside in my no-nat and am seeing this problem.  I do have Any in the default NAT statement and will try changing that later.

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card