11-11-2014 08:44 AM
Hi,
I am able to ping my remote peers but can't trace.what am i missing here ?
object-group service PING_TRACE
service-object icmp
service-object icmp traceroute
object-group network ICMP_ACCESS
network-object 203.121.10.0 255.255.255.0
network-object host 222.77.187.292
network-object host 231.27.20.18
network-object host 198.18.171.220
network-object host 129.26.179.202
network-object host 218.192.63.146
network-object host 94.62.250.62
#sh access-list Test_access_in
access-list Test_access_in line 6 remark Allow set of hosts to PING and TRACE ANY outside - for monitoring.
access-list Test_access_in line 7 extended permit object-group PING_TRACE object-group ICMP_ACCESS any4 (hitcnt=0) 0x48a9083e
access-list Test_access_in line 7 extended permit icmp 203.121.10.0 255.255.255.0 any4 (hitcnt=0) 0xce1e8a24
access-list Test_access_in line 7 extended permit icmp host 222.77.187.292 any4 (hitcnt=0) 0xf57d731f
access-list Test_access_in line 7 extended permit icmp host 231.27.20.18 any4 (hitcnt=0) 0xb25e6675
access-list Test_access_in line 7 extended permit icmp host 198.18.171.220 any4 (hitcnt=0) 0xd1f4dfa4
access-list Test_access_in line 7 extended permit icmp host 129.26.179.202 any4 (hitcnt=87) 0x45874268
access-list Test_access_in line 7 extended permit icmp host 218.192.63.146 any4 (hitcnt=0) 0x737f20fb
access-list Test_access_in line 7 extended permit icmp host 94.62.250.62 any4 (hitcnt=0) 0x4223d717
#sh run access-group
access-group Test_access_in in interface Test1
#ping 231.27.20.18
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 211.27.20.10, ti
#traceroute 231.27.20.18
Type escape sequence to abort.
Tracing the route to 231.27.20.18
1 * * *
2 * * *
3 * * *
4 * * *
5 * * *
6 * *
meout is 2 seconds:
!!!!!
#traceroute 231.27.20.18 source Test1
Type escape sequence to abort.
Tracing the route to 231.27.20.18
1 * * *
2 * * *
Solved! Go to Solution.
11-11-2014 01:19 PM
Hi,
You need to enable icmp error inspection to see all intermediate hosts.
policy-map global_policy
class inspection_default
inspect icmp errors
Take a look to this Link to the command reference:
http://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/I-R/cmdref2/i2.html#pgfId-1760544
The reason for such behavior is that by default ASA (a security device!) will hide all
hosts on path for ICMP time-exceeded messages behind NAT
Let me know how it works out,
Please don't forget to rate, and mark as Correct the helpful Post!
David Castro,
Regards,
11-12-2014 06:23 AM
Hi Kunal,
It is a pleasure, let me know how it works out!
Also Please don't forget to rate, and mark as Correct the helpful Post!
Have a great day!
David Castro,
11-11-2014 01:19 PM
Hi,
You need to enable icmp error inspection to see all intermediate hosts.
policy-map global_policy
class inspection_default
inspect icmp errors
Take a look to this Link to the command reference:
http://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/I-R/cmdref2/i2.html#pgfId-1760544
The reason for such behavior is that by default ASA (a security device!) will hide all
hosts on path for ICMP time-exceeded messages behind NAT
Let me know how it works out,
Please don't forget to rate, and mark as Correct the helpful Post!
David Castro,
Regards,
11-12-2014 06:19 AM
Hi dcastrof,
Thanks a ton for your input.Will test and verify if it works. Cheers !!!
Regards,
Kunal Tupe
11-12-2014 06:23 AM
Hi Kunal,
It is a pleasure, let me know how it works out!
Also Please don't forget to rate, and mark as Correct the helpful Post!
Have a great day!
David Castro,
11-13-2014 03:22 AM
Hey David,
Kudos .. IT works !!! . But is there any other way apart from this ?
Regards,
Kunal Tupe
11-13-2014 06:56 AM
Hi Kunal,
Since the Cisco ASA acts as a Security appliance, it usually does not let you see when the packet goes across to it, it is a security measure, so this is the way we can make this to function as you are looking for. If you have another question please let me know!
Best Regards,
12-17-2014 01:55 PM
Hi David,
Sorry for the delayed response as i was not around.
Thanks for the information. Thanks for all the help :)
Best Regards,
Kunal Tupe
11-13-2014 07:35 AM
11-15-2014 11:09 PM
Hi Kunal,
I see, what happens is that I gave you the steps on this that TAC recommends, there might be certain different ways around something and they might work, though we usually follow the pertinent procedures and the recommended by Cisco.
I would recommend you to follow what I have posted,
David Castro,
Regards,
03-26-2017 01:53 PM
I also had to remove "IP reverse path" feature on the inbound interface as traceroute replies where comming from intermediate carrier hops with source address that is not routable accross firewall interface therefore they were dropped by "IP reverse path" feature and we could not see intermediate hops on the traceroute, only first and last. After "IP reverse path" was disabled on the transit/external interface traceroute started working. This is not a recommended practice but it was needed to get traceroute working in my case.
no ip verify reverse-path interface INTERFACE_NAME
HTH
Angel,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide