03-03-2009 07:10 AM - edited 03-11-2019 07:59 AM
We have a Cisco ASA connected to the internet through a Cisco 3800 series router. On the inside of the ASA we have a server that is published onto the internet (Static NAT on the ASA to a public IP).
For some reason we require a sucessful traceroute to this server from anywhere in the internet.
The problem is the traceroute is sucessful from a few places, but times out at the ASA from most of the places.
When i bypass the ASA and connect the server directly to the internet with a public IP, trace is sucessful.
ICMP echo and any any is already applied on the ASA to allow tace ICMP packets.
Any idea how to rectify this problem.
Setup:
Server >>>ASA inside--ASA Outside >>> Router >>>>>. Internet.
03-03-2009 07:18 AM
Read the below for the solution:-
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml
HTH>
03-03-2009 07:20 AM
Victor
The problem you may be facing is that not all traceroutes use ICMP. Windows machines do but Linux for example uses UDP so if you are not allowing that in it won't respond. Have a look at the following document for more details -
http://www.cisco.com/en/US/tech/tk364/technologies_tech_note09186a00801ae32a.shtml
Jon
03-03-2009 08:18 AM
Thankyou , thankyou very much, i didn't know that. You have opened my eyes.
I wonder y Cisco TAC has this case open from morning, asking for sh tech etc.
Anyway thankyou very much.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide