Hi Piotr This is the ACL on the outside interface.
ciscoasa# sh run access-list 120 access-list 120 extended permit udp any any range 33434 33464 access-list 120 extended permit icmp any any echo access-list 120 extended permit icmp any any unreachable access-list 120 extended permit icmp any any time-exceeded access-list 120 extended permit icmp any any echo-reply With regards Kings On Mon, Jan 25, 2010 at 3:28 PM, Piotr Matusiak <[email protected]> wrote: > Kings, > > Have you opened a hole for UDP packets (traceroute) in the outside ACL? > > HTH, > -- > Piotr Matusiak > CCIE #19860 (R&S, Security) > > > > 2010/1/25 Kingsley Charles <[email protected]> > >> Hi Piotr >> >> I did try that before sending this mail. The traceroute just prints "*" >> and no Ip addresses are present. >> >> How can you traceroute to an unstranslated IP address from a lower >> security level interface. >> >> >> With regards >> Kings >> >> On Mon, Jan 25, 2010 at 2:51 PM, Piotr Matusiak <[email protected]> wrote: >> >>> Hi, >>> >>> You must traceroute private (untranslated) IP address of the host in the >>> inside network to see the difference. >>> >>> For example: >>> >>> (lo0)R1 -10.1.1.0- (out)ASA(in) -10.2.2.0- R2(lo0) >>> >>> Assuming you have the following translation on the ASA: >>> static (in,out) 10.1.1.99 10.2.2.2 >>> >>> Run the following command on R1: >>> traceroute <R2-lo0> >>> >>> You will see that ASA translates ICMP time-exceeded or unreachable IP >>> address to 10.1.1.99 (if you have icmp error inspection enabled). If not, >>> you will see untranslated IP address of R2 (10.2.2.2). >>> >>> >>> HTH, >>> Piotr Matusiak >>> >>> >>> >>> 2010/1/25 Kingsley Charles <[email protected]> >>> >>>> Hi all >>>> >>>> Can someone please let me know, where would we actually use "inspect >>>> icmp error". I am not getting the right explanation. >>>> >>>> >>>> http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/i2.html#wp1726194 >>>> >>>> >>>> With inspect icmp error enabled, I tried to IOS traceroute from outside >>>> to a host behind the ASA. With "set connection decrement-ttl", the internel >>>> address is revealed. >>>> >>>> Do we use "inspect icmp error", to reveal the actual internal IP >>>> address? >>>> >>>> >>>> >>>> With regards >>>> Kings >>>> >>>> _______________________________________________ >>>> For more information regarding industry leading CCIE Lab training, >>>> please visit www.ipexpert.com >>>> >>>> >>> >> >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
