Yes we still require it. This is required because, if the inside host intiates the traceroute to the outside network, both these ICMP messages are returned back
So your outside ACL could look like this permit udp any any range 33434 33464 -> To permit Unix style traceroute messages from the outside permit icmp any any echo-request -> Permit windows style traceroute messages from the outside permit icmp any any time-exceedeed -> Intermediate routers return this packet. permit icmp any any port-unreachable -> unix traceroute final message permit icmp any any ech0-reply -> Windows traceroute final message Hmm as to why it's not working. Let me fire up a lab. On Tue, May 11, 2010 at 5:04 PM, Sumit Mahla <[email protected]> wrote: > ciscoasa(config)# sh run access-list > access-list OUTSIDE-NAT-1 extended permit ip host 202.2.2.2 host > 11.11.11.11 > access-list OUTSIDE-NAT-2 extended permit ip host 202.2.2.2 host > 10.11.11.11 > > access-list OUT extended permit icmp host 202.2.2.2 host 10.11.11.11 > access-list OUT extended permit icmp host 202.2.2.2 host 11.11.11.11 > access-list OUT extended permit icmp any any echo > access-list OUT extended permit icmp any any echo-reply > > access-list OUT extended permit icmp any any time-exceeded > access-list OUT extended permit icmp any any unreachable > access-list OUT extended permit udp any any range 33434 33464 > > > > R2#traceroute 11.11.11.11 > Type escape sequence to abort. > Tracing the route to 11.11.11.11 > 1 11.11.11.11 0 msec * 0 msec > 2 11.11.11.11 0 msec * 0 msec > R2#traceroute 10.22.22.1 > Type escape sequence to abort. > Tracing the route to 10.22.22.1 > 1 10.22.22.1 0 msec * 0 msec > 2 10.22.22.1 0 msec * 0 msec > R2# > > > It is still not showing ASA as a hop..... > > > > > ------------------------------ > Date: Tue, 11 May 2010 16:48:01 +0530 > Subject: Re: [OSL | CCIE_Security] ASA to show as Traceroute Hop > From: [email protected] > > To: [email protected] > CC: [email protected] > > Hello Sumit, > I see that on your outside interface you are using an ACL called "OUT". > Cisco uses Unix style traceroute , i.e for the traceroute, the outside > router would send out UDP messages with incrememnting TTL values to ports > 33434 - 33464 ( incrememnting 3 times per hop , i think ) . Since the ACL > does not permit this traffic, traceroute messages from the outside are being > blocked by the ASA before it can even process them. So i would suggest > adding the following line to the outside ACL > "permit udp any any range 33434 33464 " > Let me know if this improves anything? > Cheers, > TacACK > > > On Tue, May 11, 2010 at 4:23 PM, Sumit Mahla <[email protected]>wrote: > > With the below config the traceroute from ASA's inside to outside works but > not from outside to inside.... > > can somebody please suggest...? > > > > ------------------------------ > From: [email protected] > To: [email protected] > Date: Tue, 11 May 2010 15:59:52 +0530 > Subject: [OSL | CCIE_Security] ASA to show as Traceroute Hop > > > > > Hello All, > > > If i do the following config.. on ASA.... > > > class-map TRACE > match any > > > policy-map global_policy > class inspection_default > inspect dns preset_dns_map > inspect ftp > inspect h323 h225 > inspect h323 ras > inspect rsh > inspect rtsp > inspect esmtp > inspect sqlnet > inspect skinny > inspect sunrpc > inspect xdmcp > inspect sip > inspect netbios > inspect tftp > class TRACE > set connection decrement-ttl > > > access-list OUT extended permit icmp host 202.2.2.2 host 10.11.11.11 > access-list OUT extended permit icmp host 202.2.2.2 host 11.11.11.11 > access-list OUT extended permit icmp any any time-exceeded > access-list OUT extended permit icmp any any unreachable > > ciscoasa(config)# sh run access-group > access-group OUT in interface Outside > ciscoasa(config)# > > > > Still the ASA is not showing up as a HOP in traceroute... i am doing > traceroute from a router towards a router on the inside of ASA > > > Am i missng something? > > > > ------------------------------ > The latest auto launches and test drives Drag n' > drop<http://autos.in.msn.com/> > > ------------------------------ > The battle for the FIH Hockey World Cup Drag n' > drop<http://specials.msn.co.in/sp10/hockey/index.aspx> > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > > > ------------------------------ > The latest auto launches and test drives Drag n' > drop<http://autos.in.msn.com/> >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
