Hi, You must traceroute private (untranslated) IP address of the host in the inside network to see the difference.
For example: (lo0)R1 -10.1.1.0- (out)ASA(in) -10.2.2.0- R2(lo0) Assuming you have the following translation on the ASA: static (in,out) 10.1.1.99 10.2.2.2 Run the following command on R1: traceroute <R2-lo0> You will see that ASA translates ICMP time-exceeded or unreachable IP address to 10.1.1.99 (if you have icmp error inspection enabled). If not, you will see untranslated IP address of R2 (10.2.2.2). HTH, Piotr Matusiak 2010/1/25 Kingsley Charles <[email protected]> > Hi all > > Can someone please let me know, where would we actually use "inspect icmp > error". I am not getting the right explanation. > > > http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/i2.html#wp1726194 > > > With inspect icmp error enabled, I tried to IOS traceroute from outside to > a host behind the ASA. With "set connection decrement-ttl", the internel > address is revealed. > > Do we use "inspect icmp error", to reveal the actual internal IP address? > > > > With regards > Kings > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
