cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


161
Views
0
Helpful
2
Replies
Beginner

Traceroute from Host behind Cisco ASA 5505

Hello all,

I'm trying to perform a traceroute from a host behind ASA 5505, but i cannot see any path:

C:\Users\Stef>tracert -d www.google.com

Tracing route to www.google.com [216.58.207.36]
over a maximum of 30 hops:

1 * * * Request timed out.
2 * * * Request timed out.
3 * * * Request timed out.
4 * * * Request timed out.
5 * * * Request timed out.
6 * * * Request timed out.
7 * * * Request timed out.
8 * * * Request timed out.
9 * * * Request timed out.
10 52 ms 52 ms 53 ms 216.58.207.36

 

I have uploaded also the configuration file. What is the missing command used to traceroute successfully?

Thanks in advance,

Stef

 

 

1 ACCEPTED SOLUTION

Accepted Solutions
VIP Advocate RJI VIP Advocate
VIP Advocate

Re: Traceroute from Host behind Cisco ASA 5505

Hi,

To traceroute through the ASA you need to permit icmp time-exceeded and unreachable inbound on the outside interface. E.g:-

 

access-list OUTSIDE_IN extended permit icmp any any time-exceeded
access-list OUTSIDE_IN extended permit icmp any any unreachable
access-group OUTSIDE_IN in interface OUTSIDE

By default the ASAs IP address would not appear as a hop in the traceroute, to enable this you can also decrement the ttl. E.g:-

 

policy-map global_policy
class class-default
set connection decrement-ttl

Further examples here and here.

 

HTH

2 REPLIES 2
VIP Advocate RJI VIP Advocate
VIP Advocate

Re: Traceroute from Host behind Cisco ASA 5505

Hi,

To traceroute through the ASA you need to permit icmp time-exceeded and unreachable inbound on the outside interface. E.g:-

 

access-list OUTSIDE_IN extended permit icmp any any time-exceeded
access-list OUTSIDE_IN extended permit icmp any any unreachable
access-group OUTSIDE_IN in interface OUTSIDE

By default the ASAs IP address would not appear as a hop in the traceroute, to enable this you can also decrement the ttl. E.g:-

 

policy-map global_policy
class class-default
set connection decrement-ttl

Further examples here and here.

 

HTH

Highlighted
Beginner

Re: Traceroute from Host behind Cisco ASA 5505

Thanks RJI! Now i can see traceroute is working as expected!