I've been troubleshooting a traceroute issue going through an ASA 5520. Using the capture and trace function i discovered the problem was with the nat excempt rule dropping the packet.
I have a nat 0 rule specifying the next hop router IP and specific source subnet. I enabled this as a security measure to the router.
From what i understand of the traceroute process, from XP for example, the destination IP let's say google is retained but with incrementing TTL values. Hence when a traceroute is performed from XP, the destination IP of google is on the packet with a TTL of 0 or 1 causing a time-exceeded message from the router. I have an ACL on the outside allowing this and cbac checking icmp and icmp error. I believe the time-exceeded packet coming from the router has its directly connected interface as the source interface and the destination IP is the NAT IP used by the ASA going to google.
Traceroute to google.
Private station IP: 10.1.1.1
Destination google: x.x.x.x
Router inside interface after the ASA: 18.104.22.168
NAT IP for destination google defined by global nat: 22.214.171.124
NAT 0 for source 10.x.x.x to destination 126.96.36.199
When the router replies back with the time-exceeded message, it show the source as 188.8.131.52 and destination is 184.108.40.206. When it reaches the ASA, the ASA allows it through the outside interface because of the acl allowing any with icmp time-exceeded. What i don't understand is how could it reach the workstation 10.1.1.1 when there is no static, dynamic nat entry to un-nat it and why is it checking the nat 0 for this.
Thanks in advance.