Kings, Have you opened a hole for UDP packets (traceroute) in the outside ACL?
HTH, -- Piotr Matusiak CCIE #19860 (R&S, Security) 2010/1/25 Kingsley Charles <[email protected]> > Hi Piotr > > I did try that before sending this mail. The traceroute just prints "*" > and no Ip addresses are present. > > How can you traceroute to an unstranslated IP address from a lower security > level interface. > > > With regards > Kings > > On Mon, Jan 25, 2010 at 2:51 PM, Piotr Matusiak <[email protected]> wrote: > >> Hi, >> >> You must traceroute private (untranslated) IP address of the host in the >> inside network to see the difference. >> >> For example: >> >> (lo0)R1 -10.1.1.0- (out)ASA(in) -10.2.2.0- R2(lo0) >> >> Assuming you have the following translation on the ASA: >> static (in,out) 10.1.1.99 10.2.2.2 >> >> Run the following command on R1: >> traceroute <R2-lo0> >> >> You will see that ASA translates ICMP time-exceeded or unreachable IP >> address to 10.1.1.99 (if you have icmp error inspection enabled). If not, >> you will see untranslated IP address of R2 (10.2.2.2). >> >> >> HTH, >> Piotr Matusiak >> >> >> >> 2010/1/25 Kingsley Charles <[email protected]> >> >>> Hi all >>> >>> Can someone please let me know, where would we actually use "inspect icmp >>> error". I am not getting the right explanation. >>> >>> >>> http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/i2.html#wp1726194 >>> >>> >>> With inspect icmp error enabled, I tried to IOS traceroute from outside >>> to a host behind the ASA. With "set connection decrement-ttl", the internel >>> address is revealed. >>> >>> Do we use "inspect icmp error", to reveal the actual internal IP address? >>> >>> >>> >>> With regards >>> Kings >>> >>> _______________________________________________ >>> For more information regarding industry leading CCIE Lab training, please >>> visit www.ipexpert.com >>> >>> >> >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
