cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2609
Views
15
Helpful
4
Replies

Traceroute through ASA?

CiscoPurpleBelt
Level 6
Level 6

If traceroute is done lets say some far away host out in the WAN, the trace will stop showing anything once it hits a FW that is blocking it correct? Meaning, It won't just show the * but then show all IPs of the hops after it that aren't FWs?

2 Accepted Solutions

Accepted Solutions

Hi,

If you traceroute through the ASA, as default the ASA will not appear as a hop (unless you specify to decrement-ttl). In order for every hop on the outside of the ASA to be displayed you'd specifically need to permit that traffic. To permit traceroute traffic you'd modify your inbound ACL on the outside interface to permit time-exceeded and unreachable (it depends on which OS the traceroute was sent as to which is required).

 

HTH

View solution in original post

No,

You need to allow ICMP but set connection decrement-ttl is only if you want the ASA to be seen in the traceroute path.  If you want the ASA to remain invisible do not implement this.  It is not good practice to implement it and should only be done if you have a specific need to do so.

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

4 Replies 4

Hi,

If you traceroute through the ASA, as default the ASA will not appear as a hop (unless you specify to decrement-ttl). In order for every hop on the outside of the ASA to be displayed you'd specifically need to permit that traffic. To permit traceroute traffic you'd modify your inbound ACL on the outside interface to permit time-exceeded and unreachable (it depends on which OS the traceroute was sent as to which is required).

 

HTH

Ok so I should allow ICMP as well as class class-default

set connection decrement-ttl?

No,

You need to allow ICMP but set connection decrement-ttl is only if you want the ASA to be seen in the traceroute path.  If you want the ASA to remain invisible do not implement this.  It is not good practice to implement it and should only be done if you have a specific need to do so.

--
Please remember to select a correct answer and rate helpful posts

To allow trace route through the firewall you need to implement the following commands:

policy-map global_policy

  class inspection_default

  inspect icmp

  inspect icmp error

 

access-list outside_access_in extended permit icmp any any unreachable
access-list outside_access_in extended permit icmp any any time-exceeded

 

As @Rob Ingram has already mentioned, if you want the ASA to be seen as a hop along the traceroute path you need to configure the ASA to decrement the TTL counter.

 

policy-map global_policy

  class class-default

    set connection decrement-ttl

 

--
Please remember to select a correct answer and rate helpful posts
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: