Hi Nick, use
"inspect icmp error " in the global policy , then u willl find the difference With best regards, Parvees M Davida , CCNP ,CISSP,JNCIS-FWV,ITIL V3 On Sat, May 21, 2011 at 1:10 AM, Nick Montante <[email protected]>wrote: > I think the TTL is decremented on the egress interface, so this is normal > behavior. > > > Sent from my Android phone using TouchDown (www.nitrodesk.com) > > > -----Original Message----- > *From:* Mark Senteza [[email protected]] > *Received:* Friday, 20 May 2011, 5:00pm > *To:* [email protected] [[email protected] > ] > *Subject:* [OSL | CCIE_Security] Traceroute through ASA > > Hi, > > I've got the ASA set up such that it appears in traceroute output, which it > does, but in an odd way which I wanted to ask if it was normal behavior. > > My network is setup as follows. > > *SW-VLAN 20* (10.100.20.11) ------- (10.100.20.2) *Fa0/0.20 - Router R2 - > Fa0/0.2* (10.100.2.2) -----------(10.100.2.20) *inside - ASA - > outside*(10.100.1.10) ------------ (10.100.1.1) > *Fa0/0 - Router R1* > > When I trace from the switch (SW) to 1.1.1.1 which is a Loopback IP on > Router R1, I get the "outside" interface of the ASA appear in the > traceroute, as opposed to the "inside" interface which I was expecting to > appear. > > Switch-SW01#trace 1.1.1.1 > > Type escape sequence to abort. > Tracing the route to 1.1.1.1 > > 1 10.100.20.2 0 msec 0 msec 4 msec > 2 10.100.1.10 4 msec 0 msec * > 3 10.100.1.1 0 msec 0 msec * > > > When I trace from Router R1, which is on the outside of the ASA to an IP on > the switch, I get the "inside" interface of the ASA appear in the > traceroute, and not the "outside" interface IP. > > Router-R1#trace 10.100.20.11 > > Type escape sequence to abort. > Tracing the route to 10.100.20.11 > > 1 10.100.2.10 0 msec 0 msec * > 2 10.100.2.2 0 msec 0 msec 0 msec > 3 10.100.20.11 0 msec 0 msec * > > > Is this normal behavior ? > > > Mark > > This communication is the property of ClarkDietrich Building Systems LLC and > may > contain confidential or privileged information. Unauthorized use of this > communication is strictly prohibited and may be unlawful. If you have received > this communication in error, please immediately notify the sender by reply and > destroy all copies of the communication and any attachments. > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
