traceroute issues with CISCO ASA 5540

Unanswered Question
Mar 3rd, 2009
User Badges:

We have a Cisco ASA connected to the internet through a Cisco 3800 series router. On the inside of the ASA we have a server that is published onto the internet (Static NAT on the ASA to a public IP).


For some reason we require a sucessful traceroute to this server from anywhere in the internet.


The problem is the traceroute is sucessful from a few places, but times out at the ASA from most of the places.


When i bypass the ASA and connect the server directly to the internet with a public IP, trace is sucessful.


ICMP echo and any any is already applied on the ASA to allow tace ICMP packets.


Any idea how to rectify this problem.


Setup:


Server >>>ASA inside--ASA Outside >>> Router >>>>>. Internet.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jon Marshall Tue, 03/03/2009 - 07:20
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Victor


The problem you may be facing is that not all traceroutes use ICMP. Windows machines do but Linux for example uses UDP so if you are not allowing that in it won't respond. Have a look at the following document for more details -


http://www.cisco.com/en/US/tech/tk364/technologies_tech_note09186a00801ae32a.shtml


Jon

victor_87 Tue, 03/03/2009 - 08:18
User Badges:

Thankyou , thankyou very much, i didn't know that. You have opened my eyes.


I wonder y Cisco TAC has this case open from morning, asking for sh tech etc.


Anyway thankyou very much.

Actions

This Discussion