Hello Sumit, I see that on your outside interface you are using an ACL called "OUT".
Cisco uses Unix style traceroute , i.e for the traceroute, the outside router would send out UDP messages with incrememnting TTL values to ports 33434 - 33464 ( incrememnting 3 times per hop , i think ) . Since the ACL does not permit this traffic, traceroute messages from the outside are being blocked by the ASA before it can even process them. So i would suggest adding the following line to the outside ACL "permit udp any any range 33434 33464 " Let me know if this improves anything? Cheers, TacACK On Tue, May 11, 2010 at 4:23 PM, Sumit Mahla <[email protected]> wrote: > With the below config the traceroute from ASA's inside to outside works but > not from outside to inside.... > > can somebody please suggest...? > > > > ------------------------------ > From: [email protected] > To: [email protected] > Date: Tue, 11 May 2010 15:59:52 +0530 > Subject: [OSL | CCIE_Security] ASA to show as Traceroute Hop > > > > > Hello All, > > > If i do the following config.. on ASA.... > > > class-map TRACE > match any > > > policy-map global_policy > class inspection_default > inspect dns preset_dns_map > inspect ftp > inspect h323 h225 > inspect h323 ras > inspect rsh > inspect rtsp > inspect esmtp > inspect sqlnet > inspect skinny > inspect sunrpc > inspect xdmcp > inspect sip > inspect netbios > inspect tftp > class TRACE > set connection decrement-ttl > > > access-list OUT extended permit icmp host 202.2.2.2 host 10.11.11.11 > access-list OUT extended permit icmp host 202.2.2.2 host 11.11.11.11 > access-list OUT extended permit icmp any any time-exceeded > access-list OUT extended permit icmp any any unreachable > > ciscoasa(config)# sh run access-group > access-group OUT in interface Outside > ciscoasa(config)# > > > > Still the ASA is not showing up as a HOP in traceroute... i am doing > traceroute from a router towards a router on the inside of ASA > > > Am i missng something? > > > > ------------------------------ > The latest auto launches and test drives Drag n' > drop<http://autos.in.msn.com/> > > ------------------------------ > The battle for the FIH Hockey World Cup Drag n' > drop<http://specials.msn.co.in/sp10/hockey/index.aspx> > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
