topic Re: PING work TRACEROUTE NOT !!!!! on ASA in Network Security

PING work TRACEROUTE NOT !!!!! on ASA

motasemkhater — Mon, 11 Mar 2019 13:46:17 GMT

I have ASA 5505.... from my LAN i can ping internet devices but i cant Traceroute it !!

I tried everything i found in cisco:

1- ACL: i allowed all kind ICMP , IP, UDP , TCP in Inside and outside

2- ICMP Inspect

3-set connection decrement-ttl

my lan device is UNIX

and i can do traceroute from the ASA

and attached my SHOW RUN

Re: PING work TRACEROUTE NOT !!!!! on ASA

suschoud — Thu, 18 Sep 2008 17:58:58 GMT

add :

inspect icmp error

Regards,

Sushil

Re: PING work TRACEROUTE NOT !!!!! on ASA

suschoud — Thu, 18 Sep 2008 18:00:20 GMT

Oops....you have unix server on inside..hmmm.UNIX uses udp for traceroute.

could you please take syslogs at the debugging level....they would tell you exactly what is being blocked.

Regards,

Sushil

Re: PING work TRACEROUTE NOT !!!!! on ASA

singhsaju — Thu, 18 Sep 2008 18:17:26 GMT

Hello,

Can you remove access-list bound to inside interface and then try.

no access-group inside_access_in in interface inside

Re: PING work TRACEROUTE NOT !!!!! on ASA

motasemkhater — Thu, 18 Sep 2008 20:37:20 GMT

I tried everything you said,,, but its the same here is my show run

Re: PING work TRACEROUTE NOT !!!!! on ASA

motasemkhater — Fri, 19 Sep 2008 13:20:22 GMT

Hi every one i tried what u asked .

i tried traceroutr -n -I 4.2.2.2 and i get this

root@vashouse03:~# traceroute -n -I 4.2.2.2

traceroute to 4.2.2.2 (4.2.2.2), 30 hops max, 40 byte packets

1 * * *

2 * * *

3 * * *

4 * * *

5 * * *

6 * * *

7 * * *

8 4.2.2.2 195.437 ms 207.442 ms 212.364 ms

i added inspect icmp error

and tried and same...

the i removed the ACL from inside interface , and i get nothing ...

any idea please..

Re: PING work TRACEROUTE NOT !!!!! on ASA

motasemkhater — Fri, 19 Sep 2008 13:36:32 GMT

Dear Suschoud

i dont understand (syslogs at the debugging level.)

you mean on my ASA make Debug ICMP TRACE ??

if yes what level you want.

or from my server?

if you mean from ASA command i used it and do traceroute 4.2.2.2 from my server , and i get nothing on my ASA!!!

if i use traceroute -n -I 4.2.2.2 i get the attached output

Re: PING work TRACEROUTE NOT !!!!! on ASA

suschoud — Fri, 19 Sep 2008 13:40:23 GMT

Taking syslogs :

Access asa via telnet/ssh

conf t

logg mon 7

logg on

term mon

Syslogs would start generating on screen.

capture the screen output in a text file.

To stop syslogs :

term no mon

Regards,

Sushil

Re: PING work TRACEROUTE NOT !!!!! on ASA

motasemkhater — Fri, 19 Sep 2008 13:49:28 GMT

i enable the logg as you said then go to my linux server and do traceroute 4.2.2.2

attached is the output

Re: PING work TRACEROUTE NOT !!!!! on ASA

cisco24x7 — Fri, 19 Sep 2008 16:21:43 GMT

Suschoud,

The user uses the "-I" option. In linux, it

uses icmp for traceroute instead of random

UDP high-ports.

Re: PING work TRACEROUTE NOT !!!!! on ASA

motasemkhater — Sat, 20 Sep 2008 17:48:54 GMT

where are you CISCO SECURITY SPECIALEST.. Any help pleaseeee

Re: PING work TRACEROUTE NOT !!!!! on ASA

Marwan ALshawi — Sun, 21 Sep 2008 01:14:08 GMT

hi there

have a look at the following link

Handling ICMP Pings and Traceroute:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml

if helpful Rate

Re: PING work TRACEROUTE NOT !!!!! on ASA

motasemkhater — Sun, 21 Sep 2008 06:05:16 GMT

I found it ....

ASA OS 7.2 have BUG..it cant decrement TTL so traceroute will not work, unless you upgrade to OS 8.3

BUG ID : CSCsk 76401

I guess iam the CISCO Specilaist 😉

Re: PING work TRACEROUTE NOT !!!!! on ASA

CSCO12302959 — Fri, 13 Jul 2018 13:24:31 GMT

Even if ICPM can be inspected and you can ping to the internet but when you do a trace to the same IP as you ping the firewall will block the returning traffic, I had the same problem until I allow icmp from any to the internal IPs as traffic hit the outside interface then everything worked.