https://community.cisco.com/t5/network-security/not-allow-traceroute-in-asa/m-p/4701113#M1094135 <P>When you apply an ACL on the ASA, that will be subject to the transit traffic passing through the ASA, it won't take any effect on the traffic generated or destined by/to the ASA itself. However, if you want to allow some ICMP traffic destined to the ASA itself you can use the command "icmp permit ..." as already mentioned, for example, a common ICMP types you might want to allow would be the unreachable and time exceeded. You can do that by issuing the commands "icmp permit any unreachable outside" and "icmp permit any time-exceeded outside". If you don't specify any "icmp permit ..." command the ASA would block any ICMP traffic by default. Another option that you can use which will look at the traffic destined to the ASA itself would be using the keyword "control-plane" alongside the "access-group" command. For example, say if you defined your ACL and you want to apply it to look at the traffic destined to the ASA then you can use the command "access-group ACL-NAME in interface outside control-plane". This option is not widely used and I don't think it is recommended neither.</P> Tue, 11 Oct 2022 08:36:31 GMT Aref Alsouqi 2022-10-11T08:36:31Z https://community.cisco.com/t5/network-security/not-allow-traceroute-in-asa/m-p/4687678#M1093393 <P>how to config asa in order to not allow traceroute to asa outside interface?</P> Thu, 15 Sep 2022 08:17:57 GMT https://community.cisco.com/t5/network-security/not-allow-traceroute-in-asa/m-p/4687678#M1093393 weichenyang 2022-09-15T08:17:57Z https://community.cisco.com/t5/network-security/not-allow-traceroute-in-asa/m-p/4687733#M1093394 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/303673">@weichenyang</a> as default the ASA will not show up in traceroute....unless you've configure a policy-map to decrement the ttl.</P> Thu, 15 Sep 2022 09:39:30 GMT https://community.cisco.com/t5/network-security/not-allow-traceroute-in-asa/m-p/4687733#M1093394 Rob Ingram 2022-09-15T09:39:30Z https://community.cisco.com/t5/network-security/not-allow-traceroute-in-asa/m-p/4687746#M1093396 <P>the ASA will not appear in traceroute by defualt (need policy to config) but it can allow ICMP ttl expire to pass and hence the device behind the ASA is appear.&nbsp;</P> Thu, 15 Sep 2022 14:48:38 GMT https://community.cisco.com/t5/network-security/not-allow-traceroute-in-asa/m-p/4687746#M1093396 MHM Cisco World 2022-09-15T14:48:38Z https://community.cisco.com/t5/network-security/not-allow-traceroute-in-asa/m-p/4687942#M1093412 <P>Hey,</P> <P>If you just want to allow traceroute, all you need to do is permit the interesting traffic (ICMP time exceeded and ICMP unreachable). If it's UDP traceroute, permit port range&nbsp;<SPAN>33434 to 33464.</SPAN></P> <P>If you also want the ASA to appear as a hop in the traceroute, you need to do something like this:</P> <PRE>asa(config)# policy-map global_policy asa(config-pmap)# class class-default asa(config-pmap-c)# set connection decrement-ttl</PRE> <P>&nbsp;</P> Thu, 15 Sep 2022 14:43:18 GMT https://community.cisco.com/t5/network-security/not-allow-traceroute-in-asa/m-p/4687942#M1093412 Ricardo Romero 2022-09-15T14:43:18Z https://community.cisco.com/t5/network-security/not-allow-traceroute-in-asa/m-p/4688277#M1093433 <P>thanks for all reply.</P><P><SPAN>unless you've configure a policy-map to decrement the ttl.----there is no policy about&nbsp;decrement the ttl.</SPAN></P><P><SPAN>but it can allow ICMP ttl expire to pass and hence the device behind the ASA is appear. -----how to check the reason is icmp ttl expire?</SPAN></P><P><SPAN>If you just want to allow traceroute---not allow traceroute,i will remove&nbsp;icmp unreachable rate-limit 1 burst-size 1</SPAN></P><P><SPAN>If you also want the ASA to appear as a hop in the traceroute---- do not want asa to appear as a hop in the traceroute</SPAN></P><P>&nbsp;</P> Fri, 16 Sep 2022 01:32:20 GMT https://community.cisco.com/t5/network-security/not-allow-traceroute-in-asa/m-p/4688277#M1093433 weichenyang 2022-09-16T01:32:20Z https://community.cisco.com/t5/network-security/not-allow-traceroute-in-asa/m-p/4688544#M1093442 <P><A href="https://www.speaknetworks.com/enable-icmp-inspection-to-allow-ping-traffic-passing-asa/" target="_blank" rel="noopener">https://www.speaknetworks.com/enable-icmp-inspection-to-allow-ping-traffic-passing-asa/</A></P><PRE>access-list OUTSIDE extended permit icmp any4 any4 time-exceeded</PRE><P>or ICMP inspection&nbsp;</P> Fri, 16 Sep 2022 12:02:09 GMT https://community.cisco.com/t5/network-security/not-allow-traceroute-in-asa/m-p/4688544#M1093442 MHM Cisco World 2022-09-16T12:02:09Z https://community.cisco.com/t5/network-security/not-allow-traceroute-in-asa/m-p/4690297#M1093493 <P>no&nbsp;inspect icmp</P><P>no&nbsp;access-list Outside-in extended permit icmp any any</P><P>no&nbsp;icmp unreachable rate-limit 1 burst-size 1</P><P>still fail.</P> Tue, 20 Sep 2022 06:12:39 GMT https://community.cisco.com/t5/network-security/not-allow-traceroute-in-asa/m-p/4690297#M1093493 weichenyang 2022-09-20T06:12:39Z https://community.cisco.com/t5/network-security/not-allow-traceroute-in-asa/m-p/4690492#M1093497 <P>i will run small lab for you</P> Tue, 20 Sep 2022 08:00:57 GMT https://community.cisco.com/t5/network-security/not-allow-traceroute-in-asa/m-p/4690492#M1093497 MHM Cisco World 2022-09-20T08:00:57Z https://community.cisco.com/t5/network-security/not-allow-traceroute-in-asa/m-p/4697773#M1093914 <P>Hi Friend&nbsp;<BR />are you still need solution for this issue ?</P> Mon, 03 Oct 2022 22:54:50 GMT https://community.cisco.com/t5/network-security/not-allow-traceroute-in-asa/m-p/4697773#M1093914 MHM Cisco World 2022-10-03T22:54:50Z https://community.cisco.com/t5/network-security/not-allow-traceroute-in-asa/m-p/4697824#M1093918 <P>You may have other settings that affect the behavior.</P> <P>Please share the output of "show run | i icmp" and "show run access-group".</P> Tue, 04 Oct 2022 03:45:44 GMT https://community.cisco.com/t5/network-security/not-allow-traceroute-in-asa/m-p/4697824#M1093918 Marvin Rhoads 2022-10-04T03:45:44Z https://community.cisco.com/t5/network-security/not-allow-traceroute-in-asa/m-p/4700334#M1094070 <P>icmp unreachable rate-limit 1 burst-size 1<BR />timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02<BR />inspect icmp error</P><P>access-group Outside-in in interface Outside</P><P>thanks</P> Sun, 09 Oct 2022 01:37:33 GMT https://community.cisco.com/t5/network-security/not-allow-traceroute-in-asa/m-p/4700334#M1094070 weichenyang 2022-10-09T01:37:33Z https://community.cisco.com/t5/network-security/not-allow-traceroute-in-asa/m-p/4700397#M1094078 <P>There are two behave for ASA for ICMP&nbsp;<BR />ICMP pass through<BR />and&nbsp;<BR />ICMP toward ASA interface&nbsp;<BR /><BR />you want to deny the ICMP toward the ASA interface and this need special command&nbsp;<BR /><SPAN class="">icmp</SPAN><SPAN>&nbsp;</SPAN>{<SPAN>&nbsp;</SPAN><SPAN class="">permit</SPAN><SPAN>&nbsp;</SPAN>|<SPAN>&nbsp;</SPAN><SPAN class="">deny</SPAN><SPAN>&nbsp;</SPAN>}<SPAN>&nbsp;</SPAN>ip_address<SPAN>&nbsp;</SPAN>net_mask<SPAN>&nbsp;</SPAN>[<SPAN>&nbsp;</SPAN>icmp_type<SPAN>&nbsp;</SPAN>]<SPAN>&nbsp;</SPAN>if_name<BR />for more info about command please check below link&nbsp;<BR /><BR /><A href="https://www.cisco.com/c/en/us/td/docs/security/asa/asa-cli-reference/I-R/asa-command-ref-I-R/ia-inr-commands.html#wp1366339900" target="_blank" rel="noopener">https://www.cisco.com/c/en/us/td/docs/security/asa/asa-cli-reference/I-R/asa-command-ref-I-R/ia-inr-commands.html#wp1366339900</A></P> Sun, 09 Oct 2022 12:33:27 GMT https://community.cisco.com/t5/network-security/not-allow-traceroute-in-asa/m-p/4700397#M1094078 MHM Cisco World 2022-10-09T12:33:27Z https://community.cisco.com/t5/network-security/not-allow-traceroute-in-asa/m-p/4701113#M1094135 <P>When you apply an ACL on the ASA, that will be subject to the transit traffic passing through the ASA, it won't take any effect on the traffic generated or destined by/to the ASA itself. However, if you want to allow some ICMP traffic destined to the ASA itself you can use the command "icmp permit ..." as already mentioned, for example, a common ICMP types you might want to allow would be the unreachable and time exceeded. You can do that by issuing the commands "icmp permit any unreachable outside" and "icmp permit any time-exceeded outside". If you don't specify any "icmp permit ..." command the ASA would block any ICMP traffic by default. Another option that you can use which will look at the traffic destined to the ASA itself would be using the keyword "control-plane" alongside the "access-group" command. For example, say if you defined your ACL and you want to apply it to look at the traffic destined to the ASA then you can use the command "access-group ACL-NAME in interface outside control-plane". This option is not widely used and I don't think it is recommended neither.</P> Tue, 11 Oct 2022 08:36:31 GMT https://community.cisco.com/t5/network-security/not-allow-traceroute-in-asa/m-p/4701113#M1094135 Aref Alsouqi 2022-10-11T08:36:31Z https://community.cisco.com/t5/network-security/not-allow-traceroute-in-asa/m-p/4702314#M1094189 <P><SPAN>icmp permit any unreachable outside</SPAN></P><P><SPAN>thanks</SPAN></P> Thu, 13 Oct 2022 01:06:28 GMT https://community.cisco.com/t5/network-security/not-allow-traceroute-in-asa/m-p/4702314#M1094189 weichenyang 2022-10-13T01:06:28Z