Yes, and with the traceroute option in the icmp engine, you enable the
feature and with a traceroute you can see the asa as device.
If i remember correctly, i'm at home but will test it tomorrow...
Pieter-Jan
Op 7 sep 2009 om 21:08 heeft "Tyson Scott" <[email protected]> het
volgende geschreven:\
Paul,
By default the ASA will block traceroute. traceroute is sent out
with ICMP type 8 but will respond back with ICMP type 3 and 11.
Test by sending a traceroute and see the traffic drop.
Regards,
Tyson Scott - CCIE #13513 R&S and Security
Technical Instructor - IPexpert, Inc.
Telephone: +1.810.326.1444
Cell: +1.248.504.7309
Fax: +1.810.454.0130
Mailto: [email protected]
Join our free online support and peer group communities:
http://www.IPexpert.com/communities
IPexpert - The Global Leader in Self-Study, Classroom-Based, Video
On Demand and Audio Certification Training Tools for the Cisco CCIE
R&S Lab, CCIE Security Lab, CCIE Service Provider Lab , CCIE Voice
Lab and CCIE Storage Lab Certifications.
From: [email protected]
[mailto:[email protected]] On Behalf Of Paul
Stewart
Sent: Monday, September 07, 2009 1:50 PM
To: [email protected]
Subject: [OSL | CCIE_Security] Traceroute through ASA
By default the ASA is transparent to a traceroute due to the fact
that it does not decrement the TTL. In Vol 2, Lab 11 section 1.3-4
it specifies that inside hosts should be able to "successfully"
traceroute to devices on the drawing. What are the thoughts on
using the method below to make the ASA visible? In my opinion, it
is a gray area, but a successful traceroute should show the layer 3
devices.
policy-map global_policy
class class-default
set connection decrement-ttl
_______________________________________________
For more information regarding industry leading CCIE Lab training,
please visit www.ipexpert.com
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
