https://community.cisco.com/t5/network-security/asa-traceroute/m-p/3314828#M1064601 <P>Hi,</P> <P>&nbsp;</P> <P>I'm unable to traceroute through a CISCO ASA 5505. We want to be able to trace to websites for diagnostic purposes for example 8.8.8.8. The following commands&nbsp;we currently have on the firewall are</P> <P>&nbsp;</P> <P>access-list outside_in extended permit icmp any any time-exceeded <BR />access-list outside extended permit icmp any host (outside public ip ) time-exceeded <BR />icmp unreachable rate-limit 1 burst-size 1<BR />timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02<BR /> inspect icmp</P> <P>&nbsp;</P> <P>Cisco Adaptive Security Appliance Software Version 9.1(7)4</P> <P>&nbsp;</P> <P>tracing from the asa sourcing from the outside interface is successful, however tracing from the internal network isn't</P> <P>&nbsp;</P> <P>Any recommendations would be great</P> <P>&nbsp;</P> <P>Thanks</P> Fri, 21 Feb 2020 15:10:31 GMT jay_7301 2020-02-21T15:10:31Z https://community.cisco.com/t5/network-security/asa-traceroute/m-p/3314828#M1064601 <P>Hi,</P> <P>&nbsp;</P> <P>I'm unable to traceroute through a CISCO ASA 5505. We want to be able to trace to websites for diagnostic purposes for example 8.8.8.8. The following commands&nbsp;we currently have on the firewall are</P> <P>&nbsp;</P> <P>access-list outside_in extended permit icmp any any time-exceeded <BR />access-list outside extended permit icmp any host (outside public ip ) time-exceeded <BR />icmp unreachable rate-limit 1 burst-size 1<BR />timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02<BR /> inspect icmp</P> <P>&nbsp;</P> <P>Cisco Adaptive Security Appliance Software Version 9.1(7)4</P> <P>&nbsp;</P> <P>tracing from the asa sourcing from the outside interface is successful, however tracing from the internal network isn't</P> <P>&nbsp;</P> <P>Any recommendations would be great</P> <P>&nbsp;</P> <P>Thanks</P> Fri, 21 Feb 2020 15:10:31 GMT https://community.cisco.com/t5/network-security/asa-traceroute/m-p/3314828#M1064601 jay_7301 2020-02-21T15:10:31Z https://community.cisco.com/t5/network-security/asa-traceroute/m-p/3314873#M1064602 <P>Paul Stewart wrote a blog post a number of years ago that's still valid:</P> <P>&nbsp;</P> <P><A href="http://www.packetu.com/2009/10/09/traceroute-through-the-asa/" target="_blank">http://www.packetu.com/2009/10/09/traceroute-through-the-asa/</A></P> <P>&nbsp;</P> <P>From what you posted you should also include decrement-ttl at a minimum. If that doesn't fix it, tell us more specifically what failure you are seeing and we can go from there.</P> Sat, 20 Jan 2018 01:57:57 GMT https://community.cisco.com/t5/network-security/asa-traceroute/m-p/3314873#M1064602 Marvin Rhoads 2018-01-20T01:57:57Z