Tyson,
When i did not remove the dynamic nat configuration and icmp error to global
policy then it gives me followinf result...
R2#traceroute 11.11.11.11
Type escape sequence to abort.
Tracing the route to 11.11.11.11
1 192.1.22.81 0 msec * 0 msec
2 192.1.22.1 0 msec * 0 msec
R2#
PL-Pod122#4
This is the natted pool ip of inside interface
Now when i add the icmp error and remove all the dynamic nat it gives
following..
R2#tra
R2#traceroute 11.11.11.11
Type escape sequence to abort.
Tracing the route to 11.11.11.11
1 10.22.22.10 0 msec * 0 msec
2 192.1.22.1 0 msec * 0 msec
R2#
PL-Pod122#4
[Resuming connection 4 to r4 ... ]
That's the inside interface IP
From: [email protected]
To: [email protected]; [email protected]
CC: [email protected]
Subject: RE: [OSL | CCIE_Security] ASA to show as Traceroute Hop
Date: Tue, 11 May 2010 09:02:15 -0400
I haven't read this all but you may want to add "icmp error" to your MPF if you
have nat going on here as well.
Regards,
Tyson Scott - CCIE #13513 R&S, Security, and SP
Technical Instructor - IPexpert, Inc.
Mailto: [email protected]
Telephone: +1.810.326.1444, ext. 208
Live Assistance, Please visit: www.ipexpert.com/chat
eFax: +1.810.454.0130
IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, Audio
Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE (R&S,
Voice, Security & Service Provider) certification(s) with training locations
throughout the United States, Europe, South Asia and Australia. Be sure to
visit our online communities at www.ipexpert.com/communities and our public
website at www.ipexpert.com
From: [email protected]
[mailto:[email protected]] On Behalf Of Vybhav
Ramachandran
Sent: Tuesday, May 11, 2010 8:56 AM
To: Sumit Mahla
Cc: [email protected]
Subject: Re: [OSL | CCIE_Security] ASA to show as Traceroute Hop
Hey Sumit,
Check this out, i think when you configure NAT and when you ping the NATTed
inside IP address from the outside, the traceroute command returns the IP
addres of the firewall as the NATted IP addrress
ex : In my configuration i added this line
#static (outside,inside) 136.1.121.2 136.1.122.100 ( i'm translating the inside
host to an IP of 136.1.122.100 )
When i do a traceroute from the outside, the ASA DOES reply to the traceroute,
but with an IP address of the 136.1.122.100.
Remove the NAT configuration to test, and i think you'll be able to see the
Firewall outside IP in the traceroute as the first Hop.
Hope this helps.
_________________________________________________________________
Bollywood This Decade
http://entertainment.in.msn.com/bollywoodthisdecade/
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
