[c-nsp] traceroute from ASA with source IP from inside interface

"Rolf Hanßen" nsp at rhanssen.de
Wed Mar 16 06:58:17 EDT 2016


I am new to ASA and wondering about the traceroute (and ping) behaviour.
I wanted to trace/ping with the IP address of the internal interface, but
anything I try results in stars:

ASA# traceroute source inside

Type escape sequence to abort.
Tracing the route to

 1   *  *  *
 2   *  *  *

Tracing without setting a source (or "source outside") works fine.
I create a rule for the internal interface towards dst any service ip.
There is also a rule on the outside interface to allow icmp.
I replace "inside" with the IP.
Traceroutes from servers attached to the inside interface work fine.

There is no control plane policy set.

Is this a bug or some strange "security feature"?
Is there another part that maybe filters such traffic?
In the management access section I see only https/asdm/ssh/telnet.

Maybe somebody can explain.

kind regards

More information about the cisco-nsp mailing list