https://community.cisco.com/t5/network-security/unable-to-see-tracert-output-on-the-command-promt/m-p/1678116#M535009 <HTML><HEAD></HEAD><BODY><P>Hi Abhijit,</P><P></P><P>You would need to enable traceroute on the ASA, kindly follow this doc for it:</P><P><A class="jive-link-external-small" href="http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml#intro">http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml#intro</A></P><P></P><P>Hope this helps,</P><P></P><P>Thanks,</P><P>Varun</P></BODY></HTML> Tue, 26 Jul 2011 10:40:23 GMT varrao 2011-07-26T10:40:23Z https://community.cisco.com/t5/network-security/unable-to-see-tracert-output-on-the-command-promt/m-p/1678115#M535007 <P>Hi,</P><P></P><P>We are having two sets of firewall between two facilities, like HO and Branch office. We are able to see tracert output of any site from HO, however we are unable to see tracert output (hops) from Branch office. Please help on this.</P><P></P><P>Thanks in advance.</P><P></P><P>Regards,</P><P></P><P>Abhijit Kasarekar</P> Mon, 11 Mar 2019 21:03:37 GMT https://community.cisco.com/t5/network-security/unable-to-see-tracert-output-on-the-command-promt/m-p/1678115#M535007 Abhijit Kasarekar 2019-03-11T21:03:37Z https://community.cisco.com/t5/network-security/unable-to-see-tracert-output-on-the-command-promt/m-p/1678116#M535009 <HTML><HEAD></HEAD><BODY><P>Hi Abhijit,</P><P></P><P>You would need to enable traceroute on the ASA, kindly follow this doc for it:</P><P><A class="jive-link-external-small" href="http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml#intro">http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml#intro</A></P><P></P><P>Hope this helps,</P><P></P><P>Thanks,</P><P>Varun</P></BODY></HTML> Tue, 26 Jul 2011 10:40:23 GMT https://community.cisco.com/t5/network-security/unable-to-see-tracert-output-on-the-command-promt/m-p/1678116#M535009 varrao 2011-07-26T10:40:23Z https://community.cisco.com/t5/network-security/unable-to-see-tracert-output-on-the-command-promt/m-p/1678117#M535011 <HTML><HEAD></HEAD><BODY><P> Hi Varun,</P><P></P><P></P><P>Thanks for quick response.</P><P></P><P>I am having all the necessary access on the firewall. but still i am unable to see.</P><P></P><P>Please suggest.</P><P></P><P>Regards.</P><P></P><P>Abhijit Kasarekar</P></BODY></HTML> Tue, 26 Jul 2011 10:54:13 GMT https://community.cisco.com/t5/network-security/unable-to-see-tracert-output-on-the-command-promt/m-p/1678117#M535011 Abhijit Kasarekar 2011-07-26T10:54:13Z https://community.cisco.com/t5/network-security/unable-to-see-tracert-output-on-the-command-promt/m-p/1678118#M535012 <HTML><HEAD></HEAD><BODY><P>Hi Abhijit,</P><P></P><P>If you have already enabled the traceroute on ASA, then I would suggest&nbsp; you also take logs on the firewall to chcek where the packets are being denied for tracert. Also could you paste the config that you have added for allowing traceroute.</P><P></P><P>Thanks,</P><P>Varun</P></BODY></HTML> Tue, 26 Jul 2011 11:05:24 GMT https://community.cisco.com/t5/network-security/unable-to-see-tracert-output-on-the-command-promt/m-p/1678118#M535012 varrao 2011-07-26T11:05:24Z https://community.cisco.com/t5/network-security/unable-to-see-tracert-output-on-the-command-promt/m-p/1678119#M535013 <HTML><HEAD></HEAD><BODY><P> Hi Varun,</P><P></P><P>Please find below configuration.</P><P></P><P>access-list inside extended permit icmp any any echo </P><P>access-list inside extended permit icmp any any echo-reply </P><P>access-list inside extended permit icmp any any time-exceeded </P><P>access-list inside extended permit icmp any any unreachable </P><P>access-list outside extended permit icmp any any echo </P><P>access-list outside extended permit icmp any any echo-reply </P><P>access-list outside extended permit icmp any any time-exceeded </P><P>access-list outside extended permit icmp any any unreachable </P><P>icmp unreachable rate-limit 1 burst-size 1</P><P>icmp permit any echo outside</P><P>icmp permit any echo-reply outside</P><P>icmp permit any inside</P><P>icmp permit any echo inside</P><P>icmp permit any echo-reply inside</P><P>access-group inside in interface inside</P><P>access-group outside in interface outside</P><P></P><P>Thanks,</P><P></P><P>Abhijit Kasarekar</P></BODY></HTML> Tue, 26 Jul 2011 11:19:13 GMT https://community.cisco.com/t5/network-security/unable-to-see-tracert-output-on-the-command-promt/m-p/1678119#M535013 Abhijit Kasarekar 2011-07-26T11:19:13Z https://community.cisco.com/t5/network-security/unable-to-see-tracert-output-on-the-command-promt/m-p/1678120#M535014 <HTML><HEAD></HEAD><BODY><P>Hi Abhijit,</P><P></P><P>Please find the configuration below:</P><P></P><PRE>ciscoasa(config)#<STRONG>class-map class-default</STRONG> ciscoasa(config)#<STRONG>match any</STRONG> <EM> <SPAN style="color: #0000ff;">!--- This class-map exists by default.</SPAN> </EM> ciscoasa(config)#<STRONG>policy-map global_policy</STRONG> <EM> <SPAN style="color: #0000ff;">!--- This Policy-map exists by default.</SPAN> </EM> ciscoasa(config-pmap)#<STRONG>class class-default</STRONG> <EM> <SPAN style="color: #0000ff;">!--- Add another class-map to this policy.</SPAN> </EM> ciscoasa(config-pmap-c)#<STRONG>set connection decrement-ttl</STRONG> <EM> <SPAN style="color: #0000ff;">!--- Decrement the IP TTL field for packets traversing the firewall. !--- By default, the TTL is not decrement hiding (somewhat) the firewall.</SPAN> </EM> ciscoasa(config-pmap-c)#<STRONG>exit</STRONG> ciscoasa(config-pmap)#<STRONG>exit</STRONG> ciscoasa(config)#<STRONG>service-policy global_policy global</STRONG> <EM> <SPAN style="color: #0000ff;">!--- This service-policy exists by default.</SPAN> </EM> WARNING: Policy map global_policy is already configured as a service policy ciscoasa(config)#<STRONG>icmp unreachable rate-limit 10 burst-size 5</STRONG> <EM> <SPAN style="color: #0000ff;">!--- Adjust ICMP unreachable replies: !--- The default is rate-limit 1 burst-size 1. !--- The default will result in timeouts for the ASA hop:</SPAN> </EM> ciscoasa(config)#<STRONG>access-list outside-in-acl remark Allow ICMP Type 11 for Windows tracert</STRONG> ciscoasa(config)#<STRONG>access-list outside-in-acl extended permit icmp any any time-exceeded</STRONG> <EM> <SPAN style="color: #0000ff;">!--- The access-list is for the far end of the ICMP traffic (in this case !---the outside interface) needs to be modified in order to allow ICMP type 11 replies !--- time-exceeded):</SPAN> </EM> ciscoasa(config)#<STRONG>access-group outside-in-acl in interface outside</STRONG></PRE><P></P><P></P><P>Kindly refer to the doc above fr complete details.</P><P></P><P>Thanks,</P><P>Varun</P></BODY></HTML> Tue, 26 Jul 2011 11:31:28 GMT https://community.cisco.com/t5/network-security/unable-to-see-tracert-output-on-the-command-promt/m-p/1678120#M535014 varrao 2011-07-26T11:31:28Z https://community.cisco.com/t5/network-security/unable-to-see-tracert-output-on-the-command-promt/m-p/1678121#M535015 <HTML><HEAD></HEAD><BODY><P> Hi,</P><P></P><P>done same settings on both the firewalls but still unable to tracert output.</P></BODY></HTML> Mon, 22 Aug 2011 11:51:03 GMT https://community.cisco.com/t5/network-security/unable-to-see-tracert-output-on-the-command-promt/m-p/1678121#M535015 Abhijit Kasarekar 2011-08-22T11:51:03Z https://community.cisco.com/t5/network-security/unable-to-see-tracert-output-on-the-command-promt/m-p/1678122#M535016 <HTML><HEAD></HEAD><BODY><P>I would suggest if you could share a bit more information, could you share the configuration?? I wouls like to know, from which interface to which interface is the tracert being done. These details woudl make it a bit easy.</P><P></P><P>Basically the outputs i need is:</P><P></P><P>show run class-map</P><P>show run policy-map</P><P>show run access-group</P><P>show run access-list <NAME></NAME></P><P>show service-policy</P><P></P><P>This hsould be enough, if required i'll ask, also plz check what logs you get, if you are suspecting that the firewall is droping the traceroute.</P><P></P><P>Thanks,</P><P>Varun</P></BODY></HTML> Mon, 22 Aug 2011 12:16:02 GMT https://community.cisco.com/t5/network-security/unable-to-see-tracert-output-on-the-command-promt/m-p/1678122#M535016 varrao 2011-08-22T12:16:02Z