https://community.cisco.com/t5/network-security/traceroute-is-not-working-in-next-generation-firewall/m-p/2482400#M267197 <P>If you are actually just configuring ACL as a test then I would suggest to check logs to see what is built for any future troubleshooting so you can understand what is go through the ASA.</P><P>&nbsp;</P><P>FYI: Inspection rule allows traceroute and you don't need ACLs from a higher security interface to a lower one.</P><P>&nbsp;</P><P>Also check the next link:</P><P>&nbsp;</P><H2 class="title-page">ASA/PIX/FWSM: Handling ICMP Pings and Traceroute</H2><P>&nbsp;</P><P>http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/15246-31.html</P> Wed, 30 Apr 2014 21:32:26 GMT jumora 2014-04-30T21:32:26Z https://community.cisco.com/t5/network-security/traceroute-is-not-working-in-next-generation-firewall/m-p/2482398#M267195 <P>Hi</P><P>I have tried to allow traceroute for one PC for the testing purpose, but it is not working</P><P>Model : ASA 5515x Version : 9.12</P><P>&nbsp;</P><P>And also allowed below access list, but still user getting * * *</P><P>&nbsp;</P><P>access-list acl_out line 1 permit icmp any any echo-reply<BR />access-list acl_out line 1 permit icmp any any time-exceeded<BR />access-list acl_out line 1 permit icmp any any traceroute<BR />access-list acl_out line 1 permit icmp any any time-exceeded<BR />access-list acl_out line 1 permit icmp any any unreachable</P><P>access-list acl_in line 1 permit icmp any any unreachable<BR />access-list acl_in line 1 permit icmp any any time-exceeded<BR />access-list acl_in line 1 permit icmp any any traceroute<BR />access-list acl_in line 1 permit icmp any any echo-reply<BR />access-list acl_in line 1 permit icmp any any time-exceeded</P><P>access-group acl_out in interface inside</P><P>access-group acl_in&nbsp; in interface outside</P><P>Fixup protocol icmp<BR />Fixup protocol icmp-error</P> Tue, 12 Mar 2019 04:08:13 GMT https://community.cisco.com/t5/network-security/traceroute-is-not-working-in-next-generation-firewall/m-p/2482398#M267195 mphasis infosec 2019-03-12T04:08:13Z https://community.cisco.com/t5/network-security/traceroute-is-not-working-in-next-generation-firewall/m-p/2482399#M267196 <P>Your acl_out isn't allowing the inside user's echo requests. That's the fundamental packet that they would be sending as the initiator of a ping.</P><P><SPAN style="font-size: 14px;">&nbsp; &nbsp; &nbsp;access-list acl_out line 1 permit icmp any any echo</SPAN></P><P>It would be easier to just allow all icmp outbound:</P><P><SPAN style="font-size: 14px;">&nbsp; &nbsp; &nbsp;access-list acl_out line 1 permit icmp any any</SPAN></P><P>Of course, any access-list on the inside interface will then create an implicit deny for all other traffic. Without one, any inside-initiated to outside flows are allowed.</P> Wed, 30 Apr 2014 00:47:46 GMT https://community.cisco.com/t5/network-security/traceroute-is-not-working-in-next-generation-firewall/m-p/2482399#M267196 Marvin Rhoads 2014-04-30T00:47:46Z https://community.cisco.com/t5/network-security/traceroute-is-not-working-in-next-generation-firewall/m-p/2482400#M267197 <P>If you are actually just configuring ACL as a test then I would suggest to check logs to see what is built for any future troubleshooting so you can understand what is go through the ASA.</P><P>&nbsp;</P><P>FYI: Inspection rule allows traceroute and you don't need ACLs from a higher security interface to a lower one.</P><P>&nbsp;</P><P>Also check the next link:</P><P>&nbsp;</P><H2 class="title-page">ASA/PIX/FWSM: Handling ICMP Pings and Traceroute</H2><P>&nbsp;</P><P>http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/15246-31.html</P> Wed, 30 Apr 2014 21:32:26 GMT https://community.cisco.com/t5/network-security/traceroute-is-not-working-in-next-generation-firewall/m-p/2482400#M267197 jumora 2014-04-30T21:32:26Z https://community.cisco.com/t5/network-security/traceroute-is-not-working-in-next-generation-firewall/m-p/2482401#M267198 <P>Hey could you please mark the ticket as answered.</P> Mon, 19 May 2014 19:11:36 GMT https://community.cisco.com/t5/network-security/traceroute-is-not-working-in-next-generation-firewall/m-p/2482401#M267198 jumora 2014-05-19T19:11:36Z