https://community.cisco.com/t5/network-security/traceroute-through-asa/m-p/3939440#M5262 <P>To allow trace route through the firewall you need to implement the following commands:</P> <P><STRONG>policy-map global_policy</STRONG></P> <P><STRONG>&nbsp; class inspection_default</STRONG></P> <P><STRONG>&nbsp; inspect icmp</STRONG></P> <P><STRONG>&nbsp; inspect icmp error</STRONG></P> <P>&nbsp;</P> <P><STRONG>access-list outside_access_in extended permit icmp any any unreachable</STRONG><BR /><STRONG>access-list outside_access_in extended permit icmp any any time-exceeded</STRONG></P> <P>&nbsp;</P> <P><SPAN>As&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/97036">@Rob Ingram</a>&nbsp;has already mentioned, if you want the ASA to be seen as a hop along the traceroute path you need to configure the ASA to decrement the TTL counter.</SPAN></P> <P style="font-weight: 300;">&nbsp;</P> <P style="font-weight: 300;"><STRONG>policy-map global_policy</STRONG></P> <P style="font-weight: 300;"><STRONG>&nbsp; class class-default</STRONG></P> <P style="font-weight: 300;"><STRONG>&nbsp; &nbsp; set connection decrement-ttl</STRONG></P> <P>&nbsp;</P> Fri, 11 Oct 2019 19:32:27 GMT Marius Gunnerud 2019-10-11T19:32:27Z https://community.cisco.com/t5/network-security/traceroute-through-asa/m-p/3939312#M5258 <P>If traceroute is done lets say some far away host out in the WAN, the trace will stop showing anything once it hits a FW that is blocking it correct? Meaning, It won't just show the * but then show all IPs of the hops after it that aren't FWs?</P> Fri, 21 Feb 2020 17:34:53 GMT https://community.cisco.com/t5/network-security/traceroute-through-asa/m-p/3939312#M5258 CiscoBrownBelt 2020-02-21T17:34:53Z https://community.cisco.com/t5/network-security/traceroute-through-asa/m-p/3939326#M5261 <P>Hi,</P> <P>If you traceroute through the ASA, as default the ASA will not appear as a hop (unless you specify to decrement-ttl). In order for every hop on the outside of the ASA to be displayed you'd specifically need to permit that traffic. To permit traceroute traffic you'd modify your inbound ACL on the outside interface to permit time-exceeded and unreachable (it depends on which OS the traceroute was sent as to which is required).</P> <P>&nbsp;</P> <P>HTH</P> Fri, 11 Oct 2019 15:56:22 GMT https://community.cisco.com/t5/network-security/traceroute-through-asa/m-p/3939326#M5261 Rob Ingram 2019-10-11T15:56:22Z https://community.cisco.com/t5/network-security/traceroute-through-asa/m-p/3939440#M5262 <P>To allow trace route through the firewall you need to implement the following commands:</P> <P><STRONG>policy-map global_policy</STRONG></P> <P><STRONG>&nbsp; class inspection_default</STRONG></P> <P><STRONG>&nbsp; inspect icmp</STRONG></P> <P><STRONG>&nbsp; inspect icmp error</STRONG></P> <P>&nbsp;</P> <P><STRONG>access-list outside_access_in extended permit icmp any any unreachable</STRONG><BR /><STRONG>access-list outside_access_in extended permit icmp any any time-exceeded</STRONG></P> <P>&nbsp;</P> <P><SPAN>As&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/97036">@Rob Ingram</a>&nbsp;has already mentioned, if you want the ASA to be seen as a hop along the traceroute path you need to configure the ASA to decrement the TTL counter.</SPAN></P> <P style="font-weight: 300;">&nbsp;</P> <P style="font-weight: 300;"><STRONG>policy-map global_policy</STRONG></P> <P style="font-weight: 300;"><STRONG>&nbsp; class class-default</STRONG></P> <P style="font-weight: 300;"><STRONG>&nbsp; &nbsp; set connection decrement-ttl</STRONG></P> <P>&nbsp;</P> Fri, 11 Oct 2019 19:32:27 GMT https://community.cisco.com/t5/network-security/traceroute-through-asa/m-p/3939440#M5262 Marius Gunnerud 2019-10-11T19:32:27Z https://community.cisco.com/t5/network-security/traceroute-through-asa/m-p/3939454#M5394 Ok so I should allow ICMP as well as class class-default<BR /><BR />set connection decrement-ttl? Fri, 11 Oct 2019 19:57:29 GMT https://community.cisco.com/t5/network-security/traceroute-through-asa/m-p/3939454#M5394 CiscoBrownBelt 2019-10-11T19:57:29Z https://community.cisco.com/t5/network-security/traceroute-through-asa/m-p/3939462#M5395 <P>No,</P> <P>You need to allow ICMP but&nbsp;<SPAN>set connection decrement-ttl is only if you want the ASA to be seen in the traceroute path.&nbsp; If you want the ASA to remain invisible do not implement this.&nbsp; It is not good practice to implement it and should only be done if you have a specific need to do so.</SPAN></P> Fri, 11 Oct 2019 20:05:23 GMT https://community.cisco.com/t5/network-security/traceroute-through-asa/m-p/3939462#M5395 Marius Gunnerud 2019-10-11T20:05:23Z