Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Traceroute Question

Hi,

I've been troubleshooting a traceroute issue going through an ASA 5520.  Using the capture and trace function i discovered the problem was with the nat excempt rule dropping the packet.

I have a nat 0 rule specifying the next hop router IP and specific source subnet.  I enabled this as a security measure to the router.

From what i understand of the traceroute process, from XP for example, the destination IP let's say google is retained but with incrementing TTL values.  Hence when a traceroute is performed from XP, the destination IP of google is on the packet with a TTL of 0 or 1 causing a time-exceeded message from the router.  I have an ACL on the outside allowing this and cbac checking icmp and icmp error. I believe the time-exceeded packet coming from the router has its directly connected interface as the source interface and the destination IP is the NAT IP used by the ASA going to google.

Example:

Traceroute to google.

Private station IP: 10.1.1.1

Destination google: x.x.x.x

Router inside interface after the ASA: 8.8.8.1

NAT IP for destination google defined by global nat: 4.4.4.4

NAT 0 for source 10.x.x.x to destination 8.8.8.1

When the router replies back with the time-exceeded message, it show the source as 8.8.8.1 and destination is 4.4.4.4.  When it reaches the ASA, the ASA allows it through the outside interface because of the acl allowing any with icmp time-exceeded.  What i don't understand is how could it reach the workstation 10.1.1.1 when there is no static, dynamic nat entry to un-nat it and why is it checking the nat 0 for this.

Thanks in advance.

1 REPLY
Cisco Employee

Re: Traceroute Question

Mark,

Please make sure you have "inspect icmp" and "inspect icmp error" under the default policy-map.

Nat 0 takes precedence over other nats, and if you don't have inspection your don't keep tack if icmp sessions (icmp echoes) the ASA has seen so it matches any nat following order of operations.

I hope it helps.

PK

265
Views
0
Helpful
1
Replies
CreatePlease to create content