https://community.cisco.com/t5/network-security/hops-not-showing-in-traceroute-after-asa/m-p/3355353#M1027811 <P>This <A href="http://www.packetu.com/2009/10/09/traceroute-through-the-asa/" target="_self">post</A> explains all. First paragraph states, inspecting icmp does not result in traceroute working through ASA.</P> <P>&nbsp;</P> <P>HTH</P> Mon, 26 Mar 2018 18:22:08 GMT Rob Ingram 2018-03-26T18:22:08Z https://community.cisco.com/t5/network-security/hops-not-showing-in-traceroute-after-asa/m-p/3355333#M1027808 <P>I'm trying to traceroute through an ASA and none of the hops after the ASA appear. I'm assuming the ASA is blocking the time exceeded responses but can't seem to fix this behavior. The ACL is simple: source any, destination any, service any ip.</P> <P>&nbsp;</P> <P>A similar question was asked in&nbsp;<A href="https://supportforums.cisco.com/t5/firewalling/asa-not-allowing-traceroute/td-p/1783343" target="_blank">https://supportforums.cisco.com/t5/firewalling/asa-not-allowing-traceroute/td-p/1783343</A> but the answer's link is now a 404</P> Fri, 21 Feb 2020 15:33:48 GMT https://community.cisco.com/t5/network-security/hops-not-showing-in-traceroute-after-asa/m-p/3355333#M1027808 Matt 2020-02-21T15:33:48Z https://community.cisco.com/t5/network-security/hops-not-showing-in-traceroute-after-asa/m-p/3355339#M1027809 <P>Hi,</P> <P>Do you have something like this defined on the ASA?</P> <P><BR />access-list OUTSIDE_IN extended permit icmp any any time-exceeded<BR />access-list OUTSIDE_IN extended permit icmp any any unreachable</P> Mon, 26 Mar 2018 18:02:44 GMT https://community.cisco.com/t5/network-security/hops-not-showing-in-traceroute-after-asa/m-p/3355339#M1027809 Rob Ingram 2018-03-26T18:02:44Z https://community.cisco.com/t5/network-security/hops-not-showing-in-traceroute-after-asa/m-p/3355347#M1027810 No inbound ACL, but wouldn't that be covered by the stateful nature of "access-list INSIDE-OUTSIDE extended permit ip any any" ? Mon, 26 Mar 2018 18:12:18 GMT https://community.cisco.com/t5/network-security/hops-not-showing-in-traceroute-after-asa/m-p/3355347#M1027810 Matt 2018-03-26T18:12:18Z https://community.cisco.com/t5/network-security/hops-not-showing-in-traceroute-after-asa/m-p/3355353#M1027811 <P>This <A href="http://www.packetu.com/2009/10/09/traceroute-through-the-asa/" target="_self">post</A> explains all. First paragraph states, inspecting icmp does not result in traceroute working through ASA.</P> <P>&nbsp;</P> <P>HTH</P> Mon, 26 Mar 2018 18:22:08 GMT https://community.cisco.com/t5/network-security/hops-not-showing-in-traceroute-after-asa/m-p/3355353#M1027811 Rob Ingram 2018-03-26T18:22:08Z https://community.cisco.com/t5/network-security/hops-not-showing-in-traceroute-after-asa/m-p/3355488#M1027812 <P>Creating those ACLs&nbsp;was actually the solution. I verified that ICMP inspection in the service policy is still occurring but for some reason I have to set an inbound rule to allow time-exceeded and unreachables...</P> Mon, 26 Mar 2018 22:42:27 GMT https://community.cisco.com/t5/network-security/hops-not-showing-in-traceroute-after-asa/m-p/3355488#M1027812 Matt 2018-03-26T22:42:27Z