static nat command was for loopback..... i understand that needs to be removed
i i need to see the original ip(11.11.11.11)..
what i mean to say is that when a user from outside initiates the traceroute
for some internal network ip... then the firewall returns its inside ip.... so
that means our inside ip of firewall is being revealed to outside attacker...
is there a way apart from natting by which we can get the outside ip of
firewall in traceroute result...
Date: Tue, 11 May 2010 18:41:26 +0530
Subject: Re: [OSL | CCIE_Security] ASA to show as Traceroute Hop
From: [email protected]
To: [email protected]
CC: [email protected]
Hello Sumit,
If i remember you also had a static NAT command right? Try removing that and
check the result?
On Tue, May 11, 2010 at 6:37 PM, Sumit Mahla <[email protected]> wrote:
Tyson,
When i did not remove the dynamic nat configuration and icmp error to global
policy then it gives me followinf result...
R2#traceroute 11.11.11.11
Type escape sequence to abort.
Tracing the route to 11.11.11.11
1 192.1.22.81 0 msec * 0 msec
2 192.1.22.1 0 msec * 0 msec
R2#
PL-Pod122#4
This is the natted pool ip of inside interface
Now when i add the icmp error and remove all the dynamic nat it gives
following..
R2#tra
R2#traceroute 11.11.11.11
Type escape sequence to abort.
Tracing the route to 11.11.11.11
1 10.22.22.10 0 msec * 0 msec
2 192.1.22.1 0 msec * 0 msec
R2#
PL-Pod122#4
[Resuming connection 4 to r4 ... ]
That's the inside interface IP
From: [email protected]
To: [email protected]; [email protected]
CC: [email protected]
Subject: RE: [OSL | CCIE_Security] ASA to show as Traceroute Hop
Date: Tue, 11 May 2010 09:02:15 -0400
I haven't read this all but you may want to add "icmp error" to your MPF if you
have nat going on here as well.
Regards,
Tyson Scott - CCIE #13513 R&S, Security, and SP
Technical Instructor - IPexpert, Inc.
Mailto: [email protected]
Telephone: +1.810.326.1444, ext. 208
Live Assistance, Please visit: www.ipexpert.com/chat
eFax: +1.810.454.0130
IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, Audio
Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE (R&S,
Voice, Security & Service Provider) certification(s) with training locations
throughout the United States, Europe, South Asia and Australia. Be sure to
visit our online communities at www.ipexpert.com/communities and our public
website at www.ipexpert.com
From: [email protected]
[mailto:[email protected]] On Behalf Of Vybhav
Ramachandran
Sent: Tuesday, May 11, 2010 8:56 AM
To: Sumit Mahla
Cc: [email protected]
Subject: Re: [OSL | CCIE_Security] ASA to show as Traceroute Hop
Hey Sumit,
Check this out, i think when you configure NAT and when you ping the NATTed
inside IP address from the outside, the traceroute command returns the IP
addres of the firewall as the NATted IP addrress
ex : In my configuration i added this line
#static (outside,inside) 136.1.121.2 136.1.122.100 ( i'm translating the inside
host to an IP of 136.1.122.100 )
When i do a traceroute from the outside, the ASA DOES reply to the traceroute,
but with an IP address of the 136.1.122.100.
Remove the NAT configuration to test, and i think you'll be able to see the
Firewall outside IP in the traceroute as the first Hop.
Hope this helps.
The battle for the FIH Hockey World Cup Drag n' drop
_________________________________________________________________
Catch the latest in the world of fashion
http://lifestyle.in.msn.com/_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
