Turn on logging on the ASA ans see what's happening. I assume you are NOT tracerouting the IP address for which the static is configured on the ASA.
-- Piotr Matusiak CCIE #19860 (R&S, Security) 2010/1/25 Kingsley Charles <[email protected]> > Hi Piotr > > This is the ACL on the outside interface. > > ciscoasa# sh run access-list 120 > access-list 120 extended permit udp any any range 33434 33464 > access-list 120 extended permit icmp any any echo > access-list 120 extended permit icmp any any unreachable > access-list 120 extended permit icmp any any time-exceeded > access-list 120 extended permit icmp any any echo-reply > > With regards > Kings > On Mon, Jan 25, 2010 at 3:28 PM, Piotr Matusiak <[email protected]> wrote: > >> Kings, >> >> Have you opened a hole for UDP packets (traceroute) in the outside ACL? >> >> HTH, >> -- >> Piotr Matusiak >> CCIE #19860 (R&S, Security) >> >> >> >> 2010/1/25 Kingsley Charles <[email protected]> >> >>> Hi Piotr >>> >>> I did try that before sending this mail. The traceroute just prints "*" >>> and no Ip addresses are present. >>> >>> How can you traceroute to an unstranslated IP address from a lower >>> security level interface. >>> >>> >>> With regards >>> Kings >>> >>> On Mon, Jan 25, 2010 at 2:51 PM, Piotr Matusiak <[email protected]>wrote: >>> >>>> Hi, >>>> >>>> You must traceroute private (untranslated) IP address of the host in the >>>> inside network to see the difference. >>>> >>>> For example: >>>> >>>> (lo0)R1 -10.1.1.0- (out)ASA(in) -10.2.2.0- R2(lo0) >>>> >>>> Assuming you have the following translation on the ASA: >>>> static (in,out) 10.1.1.99 10.2.2.2 >>>> >>>> Run the following command on R1: >>>> traceroute <R2-lo0> >>>> >>>> You will see that ASA translates ICMP time-exceeded or unreachable IP >>>> address to 10.1.1.99 (if you have icmp error inspection enabled). If not, >>>> you will see untranslated IP address of R2 (10.2.2.2). >>>> >>>> >>>> HTH, >>>> Piotr Matusiak >>>> >>>> >>>> >>>> 2010/1/25 Kingsley Charles <[email protected]> >>>> >>>>> Hi all >>>>> >>>>> Can someone please let me know, where would we actually use "inspect >>>>> icmp error". I am not getting the right explanation. >>>>> >>>>> >>>>> http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/i2.html#wp1726194 >>>>> >>>>> >>>>> With inspect icmp error enabled, I tried to IOS traceroute from outside >>>>> to a host behind the ASA. With "set connection decrement-ttl", the >>>>> internel >>>>> address is revealed. >>>>> >>>>> Do we use "inspect icmp error", to reveal the actual internal IP >>>>> address? >>>>> >>>>> >>>>> >>>>> With regards >>>>> Kings >>>>> >>>>> _______________________________________________ >>>>> For more information regarding industry leading CCIE Lab training, >>>>> please visit www.ipexpert.com >>>>> >>>>> >>>> >>> >> >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
