to allow trace-route from outside, you need allow following in the access-list:
permit udp any any range 33434 33464 - unix based trace route permit icmp any any echo - icmp based trace route On Tue, May 11, 2010 at 3:59 PM, Sumit Mahla <[email protected]> wrote: > > > Hello All, > > > If i do the following config.. on ASA.... > > > class-map TRACE > match any > > > policy-map global_policy > class inspection_default > inspect dns preset_dns_map > inspect ftp > inspect h323 h225 > inspect h323 ras > inspect rsh > inspect rtsp > inspect esmtp > inspect sqlnet > inspect skinny > inspect sunrpc > inspect xdmcp > inspect sip > inspect netbios > inspect tftp > class TRACE > set connection decrement-ttl > > > access-list OUT extended permit icmp host 202.2.2.2 host 10.11.11.11 > access-list OUT extended permit icmp host 202.2.2.2 host 11.11.11.11 > access-list OUT extended permit icmp any any time-exceeded > access-list OUT extended permit icmp any any unreachable > > ciscoasa(config)# sh run access-group > access-group OUT in interface Outside > ciscoasa(config)# > > > > Still the ASA is not showing up as a HOP in traceroute... i am doing > traceroute from a router towards a router on the inside of ASA > > > Am i missng something? > > > > ------------------------------ > The latest auto launches and test drives Drag n' > drop<http://autos.in.msn.com/> > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
