Hi Piotr I did try that before sending this mail. The traceroute just prints "*" and no Ip addresses are present.
How can you traceroute to an unstranslated IP address from a lower security level interface. With regards Kings On Mon, Jan 25, 2010 at 2:51 PM, Piotr Matusiak <[email protected]> wrote: > Hi, > > You must traceroute private (untranslated) IP address of the host in the > inside network to see the difference. > > For example: > > (lo0)R1 -10.1.1.0- (out)ASA(in) -10.2.2.0- R2(lo0) > > Assuming you have the following translation on the ASA: > static (in,out) 10.1.1.99 10.2.2.2 > > Run the following command on R1: > traceroute <R2-lo0> > > You will see that ASA translates ICMP time-exceeded or unreachable IP > address to 10.1.1.99 (if you have icmp error inspection enabled). If not, > you will see untranslated IP address of R2 (10.2.2.2). > > > HTH, > Piotr Matusiak > > > > 2010/1/25 Kingsley Charles <[email protected]> > >> Hi all >> >> Can someone please let me know, where would we actually use "inspect icmp >> error". I am not getting the right explanation. >> >> >> http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/i2.html#wp1726194 >> >> >> With inspect icmp error enabled, I tried to IOS traceroute from outside to >> a host behind the ASA. With "set connection decrement-ttl", the internel >> address is revealed. >> >> Do we use "inspect icmp error", to reveal the actual internal IP address? >> >> >> >> With regards >> Kings >> >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com >> >> >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
