cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


283
Views
15
Helpful
4
Replies
Contributor

Traceroute through ASA?

If traceroute is done lets say some far away host out in the WAN, the trace will stop showing anything once it hits a FW that is blocking it correct? Meaning, It won't just show the * but then show all IPs of the hops after it that aren't FWs?

2 ACCEPTED SOLUTIONS

Accepted Solutions
VIP Advisor RJI VIP Advisor
VIP Advisor

Re: Traceroute through ASA?

Hi,

If you traceroute through the ASA, as default the ASA will not appear as a hop (unless you specify to decrement-ttl). In order for every hop on the outside of the ASA to be displayed you'd specifically need to permit that traffic. To permit traceroute traffic you'd modify your inbound ACL on the outside interface to permit time-exceeded and unreachable (it depends on which OS the traceroute was sent as to which is required).

 

HTH

View solution in original post

VIP Advocate

Re: Traceroute through ASA?

No,

You need to allow ICMP but set connection decrement-ttl is only if you want the ASA to be seen in the traceroute path.  If you want the ASA to remain invisible do not implement this.  It is not good practice to implement it and should only be done if you have a specific need to do so.

--
Please remember to rate and select a correct answer

View solution in original post

4 REPLIES 4
VIP Advisor RJI VIP Advisor
VIP Advisor

Re: Traceroute through ASA?

Hi,

If you traceroute through the ASA, as default the ASA will not appear as a hop (unless you specify to decrement-ttl). In order for every hop on the outside of the ASA to be displayed you'd specifically need to permit that traffic. To permit traceroute traffic you'd modify your inbound ACL on the outside interface to permit time-exceeded and unreachable (it depends on which OS the traceroute was sent as to which is required).

 

HTH

View solution in original post

Highlighted
Contributor

Re: Traceroute through ASA?

Ok so I should allow ICMP as well as class class-default

set connection decrement-ttl?
VIP Advocate

Re: Traceroute through ASA?

No,

You need to allow ICMP but set connection decrement-ttl is only if you want the ASA to be seen in the traceroute path.  If you want the ASA to remain invisible do not implement this.  It is not good practice to implement it and should only be done if you have a specific need to do so.

--
Please remember to rate and select a correct answer

View solution in original post

VIP Advocate

Re: Traceroute through ASA?

To allow trace route through the firewall you need to implement the following commands:

policy-map global_policy

  class inspection_default

  inspect icmp

  inspect icmp error

 

access-list outside_access_in extended permit icmp any any unreachable
access-list outside_access_in extended permit icmp any any time-exceeded

 

As @RJI has already mentioned, if you want the ASA to be seen as a hop along the traceroute path you need to configure the ASA to decrement the TTL counter.

 

policy-map global_policy

  class class-default

    set connection decrement-ttl

 

--
Please remember to rate and select a correct answer