Hello Sumit, If i remember you also had a static NAT command right? Try removing that and check the result?
On Tue, May 11, 2010 at 6:37 PM, Sumit Mahla <[email protected]> wrote: > Tyson, > > > When i did not remove the dynamic nat configuration and icmp error to > global policy then it gives me followinf result... > > > > R2#traceroute 11.11.11.11 > Type escape sequence to abort. > Tracing the route to 11.11.11.11 > 1 192.1.22.81 0 msec * 0 msec > 2 192.1.22.1 0 msec * 0 msec > R2# > PL-Pod122#4 > > This is the natted pool ip of inside interface > > > Now when i add the icmp error and remove all the dynamic nat it gives > following.. > > > R2#tra > > R2#traceroute 11.11.11.11 > Type escape sequence to abort. > Tracing the route to 11.11.11.11 > 1 10.22.22.10 0 msec * 0 msec > 2 192.1.22.1 0 msec * 0 msec > R2# > PL-Pod122#4 > [Resuming connection 4 to r4 ... ] > > That's the inside interface IP > > > > > > > > ------------------------------ > From: [email protected] > To: [email protected]; [email protected] > CC: [email protected] > Subject: RE: [OSL | CCIE_Security] ASA to show as Traceroute Hop > Date: Tue, 11 May 2010 09:02:15 -0400 > > > I haven't read this all but you may want to add "icmp error" to your MPF > if you have nat going on here as well. > > > > Regards, > > > > Tyson Scott - CCIE #13513 R&S, Security, and SP > > Technical Instructor - IPexpert, Inc. > > Mailto: [email protected] > > Telephone: +1.810.326.1444, ext. 208 > > Live Assistance, Please visit: www.ipexpert.com/chat > > eFax: +1.810.454.0130 > > > > IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, > Audio Tools, Online Hardware Rental and Classroom Training for the Cisco > CCIE (R&S, Voice, Security & Service Provider) certification(s) with > training locations throughout the United States, Europe, South Asia and > Australia. Be sure to visit our online communities at > www.ipexpert.com/communities and our public website at www.ipexpert.com > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Vybhav > Ramachandran > *Sent:* Tuesday, May 11, 2010 8:56 AM > *To:* Sumit Mahla > *Cc:* [email protected] > *Subject:* Re: [OSL | CCIE_Security] ASA to show as Traceroute Hop > > > > Hey Sumit, > > > > Check this out, i think when you configure NAT and when you ping the NATTed > inside IP address from the outside, the traceroute command returns the IP > addres of the firewall as the NATted IP addrress > > > > > > ex : In my configuration i added this line > > > > #static (outside,inside) 136.1.121.2 136.1.122.100 ( i'm translating the > inside host to an IP of 136.1.122.100 ) > > > > When i do a traceroute from the outside, the ASA DOES reply to the > traceroute, but with an IP address of the 136.1.122.100. > > > > Remove the NAT configuration to test, and i think you'll be able to see the > Firewall outside IP in the traceroute as the first Hop. > > > > Hope this helps. > > ------------------------------ > The battle for the FIH Hockey World Cup Drag n' > drop<http://specials.msn.co.in/sp10/hockey/index.aspx> >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
