Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Traceroute Question


I've been troubleshooting a traceroute issue going through an ASA 5520.  Using the capture and trace function i discovered the problem was with the nat excempt rule dropping the packet.

I have a nat 0 rule specifying the next hop router IP and specific source subnet.  I enabled this as a security measure to the router.

From what i understand of the traceroute process, from XP for example, the destination IP let's say google is retained but with incrementing TTL values.  Hence when a traceroute is performed from XP, the destination IP of google is on the packet with a TTL of 0 or 1 causing a time-exceeded message from the router.  I have an ACL on the outside allowing this and cbac checking icmp and icmp error. I believe the time-exceeded packet coming from the router has its directly connected interface as the source interface and the destination IP is the NAT IP used by the ASA going to google.


Traceroute to google.

Private station IP:

Destination google: x.x.x.x

Router inside interface after the ASA:

NAT IP for destination google defined by global nat:

NAT 0 for source 10.x.x.x to destination

When the router replies back with the time-exceeded message, it show the source as and destination is  When it reaches the ASA, the ASA allows it through the outside interface because of the acl allowing any with icmp time-exceeded.  What i don't understand is how could it reach the workstation when there is no static, dynamic nat entry to un-nat it and why is it checking the nat 0 for this.

Thanks in advance.

Cisco Employee

Re: Traceroute Question


Please make sure you have "inspect icmp" and "inspect icmp error" under the default policy-map.

Nat 0 takes precedence over other nats, and if you don't have inspection your don't keep tack if icmp sessions (icmp echoes) the ASA has seen so it matches any nat following order of operations.

I hope it helps.


CreatePlease to create content