It is my understanding that permits traffic directly to of from the
interface and does not affect the inspection. Also it appears that
traffic through the device does not get a ttl decrement by default.
This makes it invisible to a traceroute. One more note, the traceroute
keyword that is used an acl or in icmp permit is, by my understanding,
an icmp message type that never gained wide acceptance. My
understanding is we see unreachables when a traceroute is initiated by
a router or a Linux host. When initiated by windows we see time-
exceeded.
On Sep 7, 2009, at 2:32 PM, Pieter-Jan Nefkens <[email protected]
> wrote:
Hi Paul,
What about the option to enable the traceroute option on the icmp
protocol inspection?
E.g.
icmp permit any traceroute inside (or outside)
Kind regards
Pieter-Jan
On 7 sep 2009, at 19:49, Paul Stewart wrote:
By default the ASA is transparent to a traceroute due to the fact
that it does not decrement the TTL. In Vol 2, Lab 11 section 1.3-4
it specifies that inside hosts should be able to "successfully"
traceroute to devices on the drawing. What are the thoughts on
using the method below to make the ASA visible? In my opinion, it
is a gray area, but a successful traceroute should show the layer 3
devices.
policy-map global_policy
class class-default
set connection decrement-ttl
_______________________________________________
For more information regarding industry leading CCIE Lab training,
please visit www.ipexpert.com
---
Nefkens Advies
Enk 26
4214 DD Vuren
The Netherlands
Tel: +31 183 634730
Fax: +31 183 690113
Cell: +31 654 323221
Email: [email protected]
Web: http://www.nefkensadvies.nl/
<green.gif> Think before you print.
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
