https://community.cisco.com/t5/network-security/traceroute-tracert-mtr-and-the-firepower/m-p/3348971#M1031832 This is not good news (about FTD I mean).<BR />As for my trace issue, I cannot trace from ASA itself specifying the source interface. Thu, 15 Mar 2018 07:18:18 GMT Florin Barhala 2018-03-15T07:18:18Z https://community.cisco.com/t5/network-security/traceroute-tracert-mtr-and-the-firepower/m-p/3347804#M1031829 <P>I have a new set of Firepower 2130 appliances and a Management Center 1000. One of the differences between the 5525x and the Firepower is that some users can run traceroute, tracert or mtr and get useful information. Other users cannot get past their gateway. This worked correctly on the ASA 5525x but when the consultant did the conversion to the Firepower rules some weird stuff happened.</P> <P>&nbsp;</P> <P>Where is traceroute, etal set up? I know the process uses ICMP and/or UDP but just allowing those outbound has not cured the problem. Is there some inspection rule I need to create?</P> Fri, 21 Feb 2020 15:30:39 GMT https://community.cisco.com/t5/network-security/traceroute-tracert-mtr-and-the-firepower/m-p/3347804#M1031829 Stephen Carville 2020-02-21T15:30:39Z https://community.cisco.com/t5/network-security/traceroute-tracert-mtr-and-the-firepower/m-p/3348325#M1031830 <P>I am also interested in this as we might migrate this year.</P> <P>Meantime can you share your current traceroute "config ". I am having some issues to make it work on my current ASAs.</P> Wed, 14 Mar 2018 12:00:46 GMT https://community.cisco.com/t5/network-security/traceroute-tracert-mtr-and-the-firepower/m-p/3348325#M1031830 Florin Barhala 2018-03-14T12:00:46Z https://community.cisco.com/t5/network-security/traceroute-tracert-mtr-and-the-firepower/m-p/3348576#M1031831 <BLOCKQUOTE><HR /><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/315231">@Florin Barhala</a> wrote:<BR /> <P>I am also interested in this as we might migrate this year.</P> <P>&nbsp;</P> </BLOCKQUOTE> <P>I've only had it a few days but, so far, I am unimpressed.&nbsp; Even a simple change like blacklisting the IP of a CNC server requires redeploying the entire policy.&nbsp; That takes five to ten minutes.&nbsp; Don't get me started on the HTML 5 interface.<BR /><BR />What was Cisco thinking?</P> <P>&nbsp;</P> <BLOCKQUOTE> <P>Meantime can you share your current traceroute "config ". I am having some issues to make it work on my current ASAs.</P> <HR /></BLOCKQUOTE> <P>As I recall, on the ASA&nbsp; I first had to create an object list for the icmp types I wanted to accept from outside:<BR /><BR />object-group icmp-type icmp_permit<BR />&nbsp;description icmp types allowed<BR />&nbsp;icmp-object echo-reply<BR />&nbsp;icmp-object source-quench<BR />&nbsp;icmp-object time-exceeded<BR />&nbsp;icmp-object traceroute<BR />&nbsp;icmp-object unreachable<BR /><BR />Then on the outside interface acl I added:<BR /><BR />&nbsp; permit icmp any any object-group icmp_permit<BR /><BR />Finally, the global policy map had to be made aware of icmp<BR /><BR />policy-map global_policy<BR />&nbsp;class inspection_default<BR />&nbsp; &lt;buncha stuff&gt;<BR />&nbsp; inspect icmp <BR />&nbsp; inspect icmp error</P> Wed, 14 Mar 2018 16:02:04 GMT https://community.cisco.com/t5/network-security/traceroute-tracert-mtr-and-the-firepower/m-p/3348576#M1031831 Stephen Carville 2018-03-14T16:02:04Z https://community.cisco.com/t5/network-security/traceroute-tracert-mtr-and-the-firepower/m-p/3348971#M1031832 This is not good news (about FTD I mean).<BR />As for my trace issue, I cannot trace from ASA itself specifying the source interface. Thu, 15 Mar 2018 07:18:18 GMT https://community.cisco.com/t5/network-security/traceroute-tracert-mtr-and-the-firepower/m-p/3348971#M1031832 Florin Barhala 2018-03-15T07:18:18Z