I've been troubleshooting a traceroute issue going through an ASA 5520. Using the capture and trace function i discovered the problem was with the nat excempt rule dropping the packet.
I have a nat 0 rule specifying the next hop router IP and specific source subnet. I enabled this as a security measure to the router.
From what i understand of the traceroute process, from XP for example, the destination IP let's say google is retained but with incrementing TTL values. Hence when a traceroute is performed from XP, the destination IP of google is on the packet with a TTL of 0 or 1 causing a time-exceeded message from the router. I have an ACL on the outside allowing this and cbac checking icmp and icmp error. I believe the time-exceeded packet coming from the router has its directly connected interface as the source interface and the destination IP is the NAT IP used by the ASA going to google.
Traceroute to google.
Private station IP: 10.1.1.1
Destination google: x.x.x.x
Router inside interface after the ASA: 220.127.116.11
NAT IP for destination google defined by global nat: 18.104.22.168
NAT 0 for source 10.x.x.x to destination 22.214.171.124
When the router replies back with the time-exceeded message, it show the source as 126.96.36.199 and destination is 188.8.131.52. When it reaches the ASA, the ASA allows it through the outside interface because of the acl allowing any with icmp time-exceeded. What i don't understand is how could it reach the workstation 10.1.1.1 when there is no static, dynamic nat entry to un-nat it and why is it checking the nat 0 for this.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :