This feature is related to all "return" ICMP error messages, so it has
more to offer than just traceroute replies. Traceroute is the most
common application though for which we need this feature.
The return icmp error message�s Source IP in IP header depends whether
we use this feature or not
- With this feature �inspect icmp error� � source IP will be of the
intermediate hop (unmodified and original)
- Without � source IP will always show up as the NAT IP we initiated
the traffic TO (ASA changes this to protect the identity of
intermediate devices).
Also, note that IP addresses present inside the received return ICMP
error message's PAYLOAD is always converted to the NAT IP we initiate
the traffic ON, this is done by stateful engine by default, this is
not related to inspect icmp error feature.
HTH
Swap
#19804x2
On Thu, Aug 19, 2010 at 5:55 PM, karim jamali <karim.jamali_at_gmail.com> wrote:
> Dears,
>
> The only difference I noted is that it makes the response for a traceroute
> for instance being subject to the NAT rules thus hiding the internal host.
> Please correct me if I am wrong/missing something?
>
> Thank You
>
> On Thu, Aug 19, 2010 at 4:42 PM, karim jamali <karim.jamali_at_gmail.com>wrote:
>
>> Dear Experts,
>>
>> I have been trying to understand the effect of the command inspect icmp
>> error unsuccessfully..Would appreciate any help.
>>
>> Best Regards,
>>
>> --
>> KJ
>>
>
>
>
> --
> KJ
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
Received on Mon Aug 30 2010 - 11:52:54 ART