Kings,
windows based traceroute requires icmp any any echo ? and in one of the
documents of there was mentioned we need time-exceeded and unreachable as
well...
please suggest...
Date: Tue, 11 May 2010 16:48:21 +0530
Subject: Re: [OSL | CCIE_Security] ASA to show as Traceroute Hop
From: [email protected]
To: [email protected]
CC: [email protected]
to allow trace-route from outside, you need allow following in the access-list:
permit udp any any range 33434 33464 - unix based trace route
permit icmp any any echo - icmp based trace route
On Tue, May 11, 2010 at 3:59 PM, Sumit Mahla <[email protected]> wrote:
Hello All,
If i do the following config.. on ASA....
class-map TRACE
match any
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
class TRACE
set connection decrement-ttl
access-list OUT extended permit icmp host 202.2.2.2 host 10.11.11.11
access-list OUT extended permit icmp host 202.2.2.2 host 11.11.11.11
access-list OUT extended permit icmp any any time-exceeded
access-list OUT extended permit icmp any any unreachable
ciscoasa(config)# sh run access-group
access-group OUT in interface Outside
ciscoasa(config)#
Still the ASA is not showing up as a HOP in traceroute... i am doing traceroute
from a router towards a router on the inside of ASA
Am i missng something?
The latest auto launches and test drives Drag n' drop
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
_________________________________________________________________
South Cinema This Decade
http://entertainment.in.msn.com/southcinemathisdecade/_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
