Kingsley,
Are you wanting to allow traceroute in both directions? Regards, Tyson Scott - CCIE #13513 R&S, Security, and SP Technical Instructor - IPexpert, Inc. Mailto: <mailto:[email protected]> [email protected] Telephone: +1.810.326.1444, ext. 208 Live Assistance, Please visit: <http://www.ipexpert.com/chat> www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Classroom and Self-Study Cisco CCNA (R&S, Voice & Security), CCNP, CCVP, CCSP and CCIE (R&S, Voice, Security & Service Provider) Certification Training with locations throughout the United States, Europe and Australia. Be sure to check out our online communities at <http://www.ipexpert.com/communities> www.ipexpert.com/communities and our public website at <http://www.ipexpert.com> www.ipexpert.com From: [email protected] [mailto:[email protected]] On Behalf Of Kingsley Charles Sent: Monday, January 25, 2010 5:01 AM To: Piotr Matusiak Cc: [email protected] Subject: Re: [OSL | CCIE_Security] inspect icmp error Hi Piotr This is the ACL on the outside interface. ciscoasa# sh run access-list 120 access-list 120 extended permit udp any any range 33434 33464 access-list 120 extended permit icmp any any echo access-list 120 extended permit icmp any any unreachable access-list 120 extended permit icmp any any time-exceeded access-list 120 extended permit icmp any any echo-reply With regards Kings On Mon, Jan 25, 2010 at 3:28 PM, Piotr Matusiak <[email protected]> wrote: Kings, Have you opened a hole for UDP packets (traceroute) in the outside ACL? HTH, -- Piotr Matusiak CCIE #19860 (R&S, Security) 2010/1/25 Kingsley Charles <[email protected]> Hi Piotr I did try that before sending this mail. The traceroute just prints "*" and no Ip addresses are present. How can you traceroute to an unstranslated IP address from a lower security level interface. With regards Kings On Mon, Jan 25, 2010 at 2:51 PM, Piotr Matusiak <[email protected]> wrote: Hi, You must traceroute private (untranslated) IP address of the host in the inside network to see the difference. For example: (lo0)R1 -10.1.1.0- (out)ASA(in) -10.2.2.0- R2(lo0) Assuming you have the following translation on the ASA: static (in,out) 10.1.1.99 10.2.2.2 Run the following command on R1: traceroute <R2-lo0> You will see that ASA translates ICMP time-exceeded or unreachable IP address to 10.1.1.99 (if you have icmp error inspection enabled). If not, you will see untranslated IP address of R2 (10.2.2.2). HTH, Piotr Matusiak 2010/1/25 Kingsley Charles <[email protected]> Hi all Can someone please let me know, where would we actually use "inspect icmp error". I am not getting the right explanation. http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/i2.html #wp1726194 With inspect icmp error enabled, I tried to IOS traceroute from outside to a host behind the ASA. With "set connection decrement-ttl", the internel address is revealed. Do we use "inspect icmp error", to reveal the actual internal IP address? With regards Kings _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com <http://www.ipexpert.com/>
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
