Solved: Re: Traceroute from Host behind Cisco ASA 5505

Net_Stef · ‎06-15-2019

Hello all,

I'm trying to perform a traceroute from a host behind ASA 5505, but i cannot see any path:

C:\Users\Stef>tracert -d www.google.com

Tracing route to www.google.com [216.58.207.36]
over a maximum of 30 hops:

1 * * * Request timed out.
2 * * * Request timed out.
3 * * * Request timed out.
4 * * * Request timed out.
5 * * * Request timed out.
6 * * * Request timed out.
7 * * * Request timed out.
8 * * * Request timed out.
9 * * * Request timed out.
10 52 ms 52 ms 53 ms 216.58.207.36

I have uploaded also the configuration file. What is the missing command used to traceroute successfully?

Thanks in advance,

Stef

Rob Ingram · ‎06-15-2019

Hi,

To traceroute through the ASA you need to permit icmp time-exceeded and unreachable inbound on the outside interface. E.g:-

access-list OUTSIDE_IN extended permit icmp any any time-exceeded
access-list OUTSIDE_IN extended permit icmp any any unreachable
access-group OUTSIDE_IN in interface OUTSIDE

By default the ASAs IP address would not appear as a hop in the traceroute, to enable this you can also decrement the ttl. E.g:-

policy-map global_policy
 class class-default
 set connection decrement-ttl

Further examples here and here.

HTH

View solution in original post

Rob Ingram · ‎06-15-2019

Hi,

To traceroute through the ASA you need to permit icmp time-exceeded and unreachable inbound on the outside interface. E.g:-

access-list OUTSIDE_IN extended permit icmp any any time-exceeded
access-list OUTSIDE_IN extended permit icmp any any unreachable
access-group OUTSIDE_IN in interface OUTSIDE

By default the ASAs IP address would not appear as a hop in the traceroute, to enable this you can also decrement the ttl. E.g:-

policy-map global_policy
 class class-default
 set connection decrement-ttl

Further examples here and here.

HTH

Net_Stef · ‎06-15-2019

Thanks RJI! Now i can see traceroute is working as expected!