https://community.cisco.com/t5/network-security/traceroute-behind-an-asa-firewall/m-p/818931#M981999 <HTML><HEAD></HEAD><BODY><P>conf t</P><P>policy-map global_policy</P><P> class inspection_default</P><P> inspect icmp</P><P> inspect icmp error</P><P></P><P></P></BODY></HTML> Sat, 08 Sep 2007 07:10:36 GMT a.alekseev 2007-09-08T07:10:36Z https://community.cisco.com/t5/network-security/traceroute-behind-an-asa-firewall/m-p/818928#M981996 <P>Hello,</P><P>We are a windows 2003 network and use an ASA firewall. We can trace route from the ASA device but not at our desktops...do you know the syntax we need to add this to our outside access-lists? TIA, Gary</P> Mon, 11 Mar 2019 11:08:19 GMT https://community.cisco.com/t5/network-security/traceroute-behind-an-asa-firewall/m-p/818928#M981996 hornbeck 2019-03-11T11:08:19Z https://community.cisco.com/t5/network-security/traceroute-behind-an-asa-firewall/m-p/818929#M981997 <HTML><HEAD></HEAD><BODY><P>On the outside interface access-list, permit icmp unreachable and icmp time-exceeded</P><P></P><P></P><P><A class="jive-link-custom" href="http://www.cisco.com/warp/public/110/pixtrace.html#topic2" target="_blank">http://www.cisco.com/warp/public/110/pixtrace.html#topic2</A></P></BODY></HTML> Fri, 07 Sep 2007 21:46:36 GMT https://community.cisco.com/t5/network-security/traceroute-behind-an-asa-firewall/m-p/818929#M981997 hsajwan 2007-09-07T21:46:36Z https://community.cisco.com/t5/network-security/traceroute-behind-an-asa-firewall/m-p/818930#M981998 <HTML><HEAD></HEAD><BODY><P>rather, you can also open complete icmp by using "permit icmp any any" on the outside interface access-list</P></BODY></HTML> Fri, 07 Sep 2007 21:47:12 GMT https://community.cisco.com/t5/network-security/traceroute-behind-an-asa-firewall/m-p/818930#M981998 hsajwan 2007-09-07T21:47:12Z https://community.cisco.com/t5/network-security/traceroute-behind-an-asa-firewall/m-p/818931#M981999 <HTML><HEAD></HEAD><BODY><P>conf t</P><P>policy-map global_policy</P><P> class inspection_default</P><P> inspect icmp</P><P> inspect icmp error</P><P></P><P></P></BODY></HTML> Sat, 08 Sep 2007 07:10:36 GMT https://community.cisco.com/t5/network-security/traceroute-behind-an-asa-firewall/m-p/818931#M981999 a.alekseev 2007-09-08T07:10:36Z https://community.cisco.com/t5/network-security/traceroute-behind-an-asa-firewall/m-p/818932#M982000 <HTML><HEAD></HEAD><BODY><P>I still can't run traceroute through my ASA, even though it's configured as shown:</P><P></P><P>policy-map global_policy</P><P> class inspection_default</P><P> inspect icmp error</P><P> inspect icmp</P><P>!</P><P>service-policy global_policy global</P><P></P><P>I've issued the "clear x" command and even tried adding the following commands:</P><P></P><P>icmp permit any Outside</P><P>icmp permit any Inside</P><P></P><P></P><P>When I try "tracert yahoo.com", this is what the ASDM log shows (note that I've reversed the order to show earliest message first):</P><P></P><P>Oct 02 2007 19:26:36 302020:Built ICMP connection for faddr 66.94.234.13/0 gaddr (outside IP address) laddr (inside address)</P><P>Oct 02 2007 19:26:36 106014:Deny inbound icmp src Outside:(gateway address) dstInside:(outside IP address)(type 11,code 0)</P><P>Oct 02 2007 19:26:38 302021:Teardown ICMP connection for faddr 66.94.234.13/0 gaddr (outside IP address) laddr (inside address)</P><P></P><P></P><P>I can place a computer on the same public IP subnet that the outside interface of the ASA resides on and get traceroutes to work without issue, I know the problem lies with the ASA.</P></BODY></HTML> Wed, 03 Oct 2007 04:48:27 GMT https://community.cisco.com/t5/network-security/traceroute-behind-an-asa-firewall/m-p/818932#M982000 GRANT GATHAGAN 2007-10-03T04:48:27Z https://community.cisco.com/t5/network-security/traceroute-behind-an-asa-firewall/m-p/818933#M982001 <HTML><HEAD></HEAD><BODY><P>Interestingly enough, I tried using the ACL method:</P><P> access-list 101 permit icmp any any echo-reply</P><P> access-list 101 permit icmp any any source-quench </P><P> access-list 101 permit icmp any any unreachable </P><P> access-list 101 permit icmp any any time-exceeded</P><P> access-group 101 in interface outside</P><P> instead of the global policy method, and that worked fine.</P><P></P><P>Go figure...</P></BODY></HTML> Fri, 12 Oct 2007 04:45:16 GMT https://community.cisco.com/t5/network-security/traceroute-behind-an-asa-firewall/m-p/818933#M982001 GRANT GATHAGAN 2007-10-12T04:45:16Z