https://community.cisco.com/t5/network-security/how-to-enable-full-traceroute-in-asa/m-p/3714904#M1049750 <P>is there any examples of config i can refer to?&nbsp;</P> Fri, 28 Sep 2018 09:29:12 GMT getaway51 2018-09-28T09:29:12Z https://community.cisco.com/t5/network-security/how-to-enable-full-traceroute-in-asa/m-p/3712556#M1049646 <P>How to enable traceroute traffic flow for all directions &amp; interfaces in ASA Version 9.1(7) ?&nbsp;</P> <P>&nbsp;</P> <P>The reason was traceroute frm PC meet with *** time-out when it reaches firewall.</P> Fri, 21 Feb 2020 16:16:43 GMT https://community.cisco.com/t5/network-security/how-to-enable-full-traceroute-in-asa/m-p/3712556#M1049646 getaway51 2020-02-21T16:16:43Z https://community.cisco.com/t5/network-security/how-to-enable-full-traceroute-in-asa/m-p/3712579#M1049662 <P><U></U>hi,</P> <P>allow ICMP <EM>unreachable</EM> and <EM>time-exceeded</EM> on your 'outside' ACL.</P> <P>sample would be:</P> <P><EM>access-list OUTSIDE_IN extended permit icmp any any unreachable </EM><BR /><EM>access-list OUTSIDE_IN extended permit icmp any any time-exceeded</EM></P> Tue, 25 Sep 2018 04:15:29 GMT https://community.cisco.com/t5/network-security/how-to-enable-full-traceroute-in-asa/m-p/3712579#M1049662 johnlloyd_13 2018-09-25T04:15:29Z https://community.cisco.com/t5/network-security/how-to-enable-full-traceroute-in-asa/m-p/3712826#M1049680 <P>..and make sure you "inspect icmp" in your class-map that's referenced in your active policy-map.</P> <P>&nbsp;</P> <P><A href="https://packetu.com/2009/10/09/traceroute-through-the-asa/" target="_blank">https://packetu.com/2009/10/09/traceroute-through-the-asa/</A></P> <P>&nbsp;</P> <P>&nbsp;</P> Tue, 25 Sep 2018 13:28:58 GMT https://community.cisco.com/t5/network-security/how-to-enable-full-traceroute-in-asa/m-p/3712826#M1049680 Marvin Rhoads 2018-09-25T13:28:58Z https://community.cisco.com/t5/network-security/how-to-enable-full-traceroute-in-asa/m-p/3714887#M1049722 You meant the cmd below still not sufficient to allow traceroute? wht others needed?<BR /><BR />//create an ACL that permits the incoming ICMP<BR />access-list outside_access_in remark ICMP type 11 for Windows Traceroute<BR />access-list outside_access_in extended permit icmp any any time-exceeded<BR />access-list outside_access_in remark ICMP type 3 for Cisco and Linux<BR />access-list outside_access_in extended permit icmp any any unreachable<BR /><BR />//bind the ACL to the outside interface<BR />access-group outside_access_in in interface outside Fri, 28 Sep 2018 08:53:21 GMT https://community.cisco.com/t5/network-security/how-to-enable-full-traceroute-in-asa/m-p/3714887#M1049722 getaway51 2018-09-28T08:53:21Z https://community.cisco.com/t5/network-security/how-to-enable-full-traceroute-in-asa/m-p/3714891#M1049737 <P>Your class map needs to include icmp inspection.</P> <P>&nbsp;</P> <P>If there's any access-list applied to the inside interface it must also allow icmp.</P> Fri, 28 Sep 2018 09:00:05 GMT https://community.cisco.com/t5/network-security/how-to-enable-full-traceroute-in-asa/m-p/3714891#M1049737 Marvin Rhoads 2018-09-28T09:00:05Z https://community.cisco.com/t5/network-security/how-to-enable-full-traceroute-in-asa/m-p/3714904#M1049750 <P>is there any examples of config i can refer to?&nbsp;</P> Fri, 28 Sep 2018 09:29:12 GMT https://community.cisco.com/t5/network-security/how-to-enable-full-traceroute-in-asa/m-p/3714904#M1049750 getaway51 2018-09-28T09:29:12Z https://community.cisco.com/t5/network-security/how-to-enable-full-traceroute-in-asa/m-p/3714907#M1049753 <P>Yes - please see the link I provided in my reply date 9-25-2018.</P> Fri, 28 Sep 2018 09:31:25 GMT https://community.cisco.com/t5/network-security/how-to-enable-full-traceroute-in-asa/m-p/3714907#M1049753 Marvin Rhoads 2018-09-28T09:31:25Z https://community.cisco.com/t5/network-security/how-to-enable-full-traceroute-in-asa/m-p/3714973#M1049761 <P><SPAN>"Your <STRONG>class map</STRONG> needs to include icmp inspection". I am not sure how to check in the present config what it meant by "class map" here. I have read thru the blog but not sure abt the icmp inspection except from the access list config.</SPAN></P> <P><SPAN>How class map config enabled for traceroute? How does it normally configured? Any example/sample config for be great.</SPAN></P> Fri, 28 Sep 2018 11:52:41 GMT https://community.cisco.com/t5/network-security/how-to-enable-full-traceroute-in-asa/m-p/3714973#M1049761 getaway51 2018-09-28T11:52:41Z https://community.cisco.com/t5/network-security/how-to-enable-full-traceroute-in-asa/m-p/3714995#M1049768 <P>ASA(config)# fixup protocol icmp<BR />&nbsp;OR<BR />ASA(config)# policy-map global_policy<BR />ASA(config-pmap)# class default-inspection-class<BR />ASA(config-pmap-c)# inspect icmp</P> <P>&nbsp;</P> Fri, 28 Sep 2018 12:35:56 GMT https://community.cisco.com/t5/network-security/how-to-enable-full-traceroute-in-asa/m-p/3714995#M1049768 Rob Ingram 2018-09-28T12:35:56Z https://community.cisco.com/t5/network-security/how-to-enable-full-traceroute-in-asa/m-p/3738599#M1049772 <P>policy-map global_policy<BR />&nbsp;class inspection_default<BR />&nbsp; inspect icmp</P> <P>&nbsp;</P> <P>policy-map global_policy<BR />&nbsp;class class-default<BR />&nbsp; set connection decrement-ttl<BR />access-list OUTSIDE-IN extended permit icmp any any time-exceeded <BR />access-list OUTSIDE-IN extended permit icmp any any unreachable <BR />access-group OUTSIDE-IN in interface OUTSIDE</P> <P>&nbsp;</P> <P>hope that helps.</P> <P>azam</P> <P>&nbsp;</P> Sun, 04 Nov 2018 00:15:14 GMT https://community.cisco.com/t5/network-security/how-to-enable-full-traceroute-in-asa/m-p/3738599#M1049772 mkazam001 2018-11-04T00:15:14Z