https://community.cisco.com/t5/network-security/traceroute-issues-with-cisco-asa-5540/m-p/1235288#M875435 <P>We have a Cisco ASA connected to the internet through a Cisco 3800 series router. On the inside of the ASA we have a server that is published onto the internet (Static NAT on the ASA to a public IP).</P><P></P><P>For some reason we require a sucessful traceroute to this server from anywhere in the internet.</P><P></P><P>The problem is the traceroute is sucessful from a few places, but times out at the ASA from most of the places.</P><P></P><P> When i bypass the ASA and connect the server directly to the internet with a public IP, trace is sucessful.</P><P></P><P>ICMP echo and any any is already applied on the ASA to allow tace ICMP packets.</P><P></P><P>Any idea how to rectify this problem.</P><P></P><P>Setup:</P><P></P><P>Server &gt;&gt;&gt;ASA inside--ASA Outside &gt;&gt;&gt; Router &gt;&gt;&gt;&gt;&gt;. Internet.</P> Mon, 11 Mar 2019 14:59:56 GMT victor_87 2019-03-11T14:59:56Z https://community.cisco.com/t5/network-security/traceroute-issues-with-cisco-asa-5540/m-p/1235288#M875435 <P>We have a Cisco ASA connected to the internet through a Cisco 3800 series router. On the inside of the ASA we have a server that is published onto the internet (Static NAT on the ASA to a public IP).</P><P></P><P>For some reason we require a sucessful traceroute to this server from anywhere in the internet.</P><P></P><P>The problem is the traceroute is sucessful from a few places, but times out at the ASA from most of the places.</P><P></P><P> When i bypass the ASA and connect the server directly to the internet with a public IP, trace is sucessful.</P><P></P><P>ICMP echo and any any is already applied on the ASA to allow tace ICMP packets.</P><P></P><P>Any idea how to rectify this problem.</P><P></P><P>Setup:</P><P></P><P>Server &gt;&gt;&gt;ASA inside--ASA Outside &gt;&gt;&gt; Router &gt;&gt;&gt;&gt;&gt;. Internet.</P> Mon, 11 Mar 2019 14:59:56 GMT https://community.cisco.com/t5/network-security/traceroute-issues-with-cisco-asa-5540/m-p/1235288#M875435 victor_87 2019-03-11T14:59:56Z https://community.cisco.com/t5/network-security/traceroute-issues-with-cisco-asa-5540/m-p/1235289#M875438 <HTML><HEAD></HEAD><BODY><P>Read the below for the solution:-</P><P></P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml" target="_blank">http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml</A></P><P></P><P>HTH&gt;</P></BODY></HTML> Tue, 03 Mar 2009 15:18:32 GMT https://community.cisco.com/t5/network-security/traceroute-issues-with-cisco-asa-5540/m-p/1235289#M875438 andrew.prince 2009-03-03T15:18:32Z https://community.cisco.com/t5/network-security/traceroute-issues-with-cisco-asa-5540/m-p/1235290#M875439 <HTML><HEAD></HEAD><BODY><P>Victor</P><P></P><P>The problem you may be facing is that not all traceroutes use ICMP. Windows machines do but Linux for example uses UDP so if you are not allowing that in it won't respond. Have a look at the following document for more details - </P><P></P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/tech/tk364/technologies_tech_note09186a00801ae32a.shtml" target="_blank">http://www.cisco.com/en/US/tech/tk364/technologies_tech_note09186a00801ae32a.shtml</A></P><P></P><P>Jon</P></BODY></HTML> Tue, 03 Mar 2009 15:20:00 GMT https://community.cisco.com/t5/network-security/traceroute-issues-with-cisco-asa-5540/m-p/1235290#M875439 Jon Marshall 2009-03-03T15:20:00Z https://community.cisco.com/t5/network-security/traceroute-issues-with-cisco-asa-5540/m-p/1235291#M875440 <HTML><HEAD></HEAD><BODY><P>Thankyou , thankyou very much, i didn't know that. You have opened my eyes. </P><P></P><P>I wonder y Cisco TAC has this case open from morning, asking for sh tech etc.</P><P></P><P>Anyway thankyou very much.</P></BODY></HTML> Tue, 03 Mar 2009 16:18:54 GMT https://community.cisco.com/t5/network-security/traceroute-issues-with-cisco-asa-5540/m-p/1235291#M875440 victor_87 2009-03-03T16:18:54Z