Actually, I think this is just a "cosmetic" issue with the ASA and everything is fine. For some reason when you traceroute through the firewall and enable the firewall to respond to traceroutes too, then depending which direction you are originating the traceroutes from, the ASA responds and displays the IP Address of the interface facing the next-hop on the other end i.e. if you are running a traceroute from inside to outside, it will display the IP Address of the "outside" interface, instead of the "inside" as we'd expect. When you traceroute from outside inbound, then it responds with the IP Address of the "inside" interface.
I found this odd too, but its normal ASA behavior. Mark On Mon, Aug 29, 2011 at 2:48 AM, neo <[email protected]> wrote: > This is a result of the fact that the ASA is not responding to all of the > traceroute packets. This is due to the rate-limiting of ICMP on the ASA. > you can adjust this as below. Test it and let us know**** > > *icmp unreachable rate-limit 10 burst-size 5***** > > Thx,**** > > Satvik**** > > ** ** > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *waleed ' > > *Sent:* 29 August 2011 11:24 > *To:* [email protected]; [email protected]; > [email protected] > > *Subject:* Re: [OSL | CCIE_Security] ASA Traceroute**** > > ** ** > > I have same , why this ? any one has clarification**** > ------------------------------ > > To: [email protected]; [email protected] > From: [email protected] > Date: Sun, 7 Aug 2011 11:01:55 -0400 > Subject: Re: [OSL | CCIE_Security] ASA Traceroute > > That is normal. Do a traceroute without security appliance and you will > see similar results > > Regards, > > Tyson Scott > CCIE # 13513 (R&S, Security, SP) > Managing Partner/Technical Instructor - IPexpert Inc. > [email protected] > > > ----- Reply message ----- > From: "Kok Yong CHEONG" <[email protected]> > Date: Sun, Aug 7, 2011 8:01 am > Subject: [OSL | CCIE_Security] ASA Traceroute > To: "[email protected]" <[email protected] > > > > hi guys. need your advise. > > i was trying on the ASA trace route,and saw the following traceroute > result, > do you guys have any clue on why cause the * > > R2 <----> (I) ASA (O) <----> R1 > > R1 traceroute to R2, with ASA's config: > > -allow udp 33434 and above on the ASA's outside interface > -set connection decrement-ttl on ASA > -no ACL on ASA's inside interface > > R1#traceroute 10/10.4.2 > > Type escape sequence to abort. > Tracing the route to 45.45.4.2 > > 1 10.10.4.12 0 msec 0 msec 0 msec > 2 10.10.4.2 4 msec * 0 msec > R1# > > by the way, (10.10.4.12) is ASA inside interface IP, (10.10.4.2) is R2' > interface connected to ASA, why is there an "*" on entry of 10.10.4.2 ? and > not reporting any value ? what could have resulted with that ? > > Thanks in advance > > Regards > KY > > > > _______________________________________________ For more information > regarding industry leading CCIE Lab training, please visit > www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com**** > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
