ASA and traceroute

By default ASA does not decrease the TTL field, hence is not visible in traceroute output. This is how to change this behaviour :

asa# conf t
asa(config)# icmp unreachable rate-limit 10 burst-size 5
asa(config)# policy-map global_policy
asa(config-pmap)#
asa(config-pmap)#  class class-default
asa(config-pmap-c)# set connection decrement-ttl

The result:

asa# sh run
. . .
icmp unreachable rate-limit 10 burst-size 5
. . .
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  . . .
  inspect icmp
  inspect sunrpc

 class class-default
  set connection decrement-ttl

service-policy global_policy global
. . .

Sources:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml
http://packetu.com/content/view/50/

Related posts:

  1. One-liner: how to change file extensions according to their type What if you have PNG or WEBP files, saved with .jpg extension?...
  2. Midnight commander cannot change directory Probably your mc is compiled by Blastwave (CSW) and you are running...
  3. Jumbo frames on Solaris For e1000g (Solaris): Change /kernel/drv/e1000g.conf to: MaxFrameSize=3,3,3,3,3,3,3,3,3,3,3,3,3,3,3,3; # 0 is for normal...
  4. CheckPoint Firewall policy parsers and converters cpfw2ns – Checkpoint to Juniper converter (outdated?) FWdoc – CheckPoint converter, verifier,...
  5. No external images in Evolution If you see no images in HTML-mail in evolution, add the following...

Leave a Reply

Your email address will not be published. Required fields are marked *