Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7151
Views
0
Helpful
15
Replies

Tracert not enabled in ASA

Go to solution
Herald Sison
Level 3
Level 3

‎07-10-2019 11:29 PM - edited ‎02-21-2020 09:17 AM

Hi Guys,

 

i have enabled the command below as what i saw from other forums but still cant get a result for tracert but i can ping successfully 8.8.8.8

 

ASA(config)# policy-map global_policy
ASA(config-pmap)# class class-default
ASA(config-pmap-c)# set connection decrement-ttl

 

i have also checked and enabled ICMP in Service Policy Rules via ASDM but still not getting a tracert results. What else do i need to do to enable tracert on my ASA? my ASA model is ASA5508.

 

attached is the result of my tracert from my computer connected to the network. so the setup is Computer - > Coreswitch -> ASA -> Internet.

 

 

Preview file
41 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to Herald Sison

‎07-19-2019 10:12 AM

Thank you for posting the configuration. I do find several things in it to comment about.

- you have configured an access list for the outside interface. But it is not applied to the outside interface. So it is not being used. 

- you have included icmp and icmp error in the policy map and so they are being inspected. And therefore I believe that it does not matter that the access list is not applied to the outside interface. With icmp and icmp error being inspected I would expect that the error responses would be allowed.

- I suggest that the thresholds for icmp unreachable should be increased.

icmp unreachable rate-limit 1 burst-size 1

I found this in some Cisco documentation:  Increasing the rate limit, along with enabling the set connection decrement-ttl command in a service policy, is required to allow a traceroute through the ASA that shows the ASA as one of the hops.

Here is the link if you want more details

https://www.cisco.com/c/en/us/td/docs/security/asa/asa93/configuration/firewall/asa-firewall-cli/access-rules.html

- if increasing the threshold does not solve the issue then I wonder about the icmp rules you configure on the inside interface
icmp permit any inside
icmp permit any echo-reply inside

and wonder if you might also need

icmp permit any outside

 

HTH

 

Rick

HTH

Rick

View solution in original post

0 Helpful
15 Replies 15

Go to solution
Rob Ingram
VIP
VIP

‎07-11-2019 02:08 AM - edited ‎07-11-2019 02:09 AM

Hi,

In order to traceroute through an ASA you need to modify the outside interface ACL. E.g:-

 

access-list OUTSIDE_IN extended permit icmp any any time-exceeded
access-list OUTSIDE_IN extended permit icmp any any unreachable

Decrementing the TTL will only allow the ASA to appear as a hop in the traceroute.

 

Reference here.

 

HTH

 

0 Helpful

Go to solution
Herald Sison
Level 3
Level 3
In response to Rob Ingram

‎07-11-2019 04:56 PM

Hi Sir,

I already did this one also but still cant traceroute.

 

kindly see attached.

Preview file
48 KB
0 Helpful

Go to solution
Mohammed al Baqari
Level 11
Level 11

‎07-11-2019 03:06 AM

enabled inspect icmp and icmp error

**** remember to rate useful posts
0 Helpful

Go to solution
Herald Sison
Level 3
Level 3
In response to Mohammed al Baqari

‎07-11-2019 04:57 PM

Hi Sir,

 

i already did this one also but still not getting a traceroute results.

 

please see attached.

 

 

Preview file
29 KB
0 Helpful

Go to solution
Alan Ng'ethe
Level 3
Level 3
In response to Herald Sison

‎07-11-2019 07:51 PM

In addition to what's been said by the other posters, you might also want to confirm that there are no related UDP packets being dropped by the ASA. Logging asdm informational will help in that regard.
Remember to rate helpful posts and/or mark as a solution if your issue is resolved.
0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to Alan Ng'ethe

‎07-14-2019 05:11 AM

I see that the hit count on every element of the access list is 0. So I wonder what is going on with the access list. And in fact with icmp and icmp error inspection enabled you do not really need the access list for tracert to work. Perhaps we need some more detail about how the ASA is configured. 

 

HTH

 

Rick

HTH

Rick
0 Helpful

Go to solution
Herald Sison
Level 3
Level 3
In response to Richard Burts

‎07-17-2019 10:42 PM

Hi Sir,
In what particular part of the config you wan to check so i can paste it here?
0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to Herald Sison

‎07-18-2019 04:36 AM

There are multiple parts of the config that we would want to see including how the interfaces are configured, how the access lists are configured, how the access lists are applied, how address translation is configured, what inspections are enabled. The easy thing is to post show run with sensitive information such as public IP addresses disguised.

 

HTH

 

Rick

HTH

Rick
0 Helpful

Go to solution
Herald Sison
Level 3
Level 3
In response to Richard Burts

‎07-18-2019 05:29 PM - edited ‎07-18-2019 05:40 PM

Hi Sir,

 

i have attached below the whole running config of the ASA and replaced all sensitive info with * character.

 

thank you so much and more power.

 

: Saved

:
: Serial Number: ***
: Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
: Written by enable_15 at 07:51:20.449 UTC Thu Jul 18 2019
!
ASA Version 9.8(2)
!
hostname ***
domain-name ***.local
names
ip local pool net-10 10.0.0.1-10.0.0.100 mask 255.255.255.0

!
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address 1**.2*.1**.10 255.255.255.***
!
interface GigabitEthernet1/2
nameif inside
security-level 100
ip address 192.168.0.*** 255.255.255.0
!
interface GigabitEthernet1/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/7
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/8
shutdown
no nameif
no security-level
no ip address
!
interface Management1/1
management-only
nameif management
security-level 0
ip address 10.0.0.254 255.255.255.0
!
ftp mode passive
dns server-group DefaultDNS
domain-name ***.local
object network INSIDE_NETS
subnet 192.168.0.0 255.255.0.0
object network NETWORK_OBJ_10.0.0.0_25
subnet 10.0.0.0 255.255.255.128
object network SERVERS
subnet 192.168.0.0 255.255.255.0
object network ***-USERS
subnet 192.168.30.0 255.255.255.0
object-group network ***-LOCAL
network-object 192.168.0.0 255.255.255.0
network-object 192.168.30.0 255.255.255.0
network-object object SERVERS
network-object object ***-USERS
access-list OUTSIDE-INTER-IN extended permit icmp any4 any4 echo
access-list OUTSIDE-INTER-IN extended permit icmp any4 any4 echo-reply
access-list OUTSIDE-INTER-IN extended permit icmp any4 any4 time-exceeded
access-list OUTSIDE-INTER-IN extended deny ip 10.0.0.0 255.0.0.0 any4 log
access-list OUTSIDE-INTER-IN extended deny ip 127.0.0.0 255.0.0.0 any4 log
access-list OUTSIDE-INTER-IN extended deny ip 1**.***.0.0 255.255.0.0 any4 log
access-list OUTSIDE-INTER-IN extended deny ip 1**.1*.0.0 255.240.0.0 any4 log
access-list OUTSIDE-INTER-IN extended permit ip 192.168.30.0 255.255.255.0 any4 log
access-list OUTSIDE-INTER-IN extended deny ip 224.0.0.0 224.0.0.0 any4 log
access-list OUTSIDE-INTER-IN extended deny ip 255.0.0.0 255.0.0.0 any4 log
access-list OUTSIDE-INTER-IN extended permit ip 192.168.0.0 255.255.255.0 any4 log
access-list OUTSIDE-INTER-IN extended permit icmp any any time-exceeded
access-list OUTSIDE-INTER-IN extended permit icmp any any unreachable
access-list OUTSIDE-INTER-IN extended permit icmp any any traceroute
access-list OUTSIDE-INTER-IN extended permit icmp any any echo
access-list OUTSIDE-INTER-IN extended permit icmp any any echo-reply
access-list DMZ-INTER-IN extended permit icmp any4 any4 echo
access-list DMZ-INTER-IN extended permit icmp any4 any4 echo-reply
access-list DMZ-INTER-IN extended permit icmp any4 any4 time-exceeded
access-list VPN-ACL standard permit 192.168.0.0 255.255.0.0
access-list VPN-ACL standard permit 192.168.30.0 255.255.255.0
access-list VPN-ACL standard permit 192.168.0.0 255.255.255.0
access-list AnyConnect_Client_Local_Print extended deny ip any4 any4
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.251 eq 5353
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.252 eq 5355
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137
access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbios-ns
access-list Permit_Inside standard permit 192.168.0.0 255.255.255.0
access-list Permit_Inside standard permit 192.168.30.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
no failover
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any echo-reply inside
asdm image disk0:/asdm-782.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (inside,outside) source static any any destination static NETWORK_OBJ_10.0.0.0_25 NETWORK_OBJ_10.0.0.0_25 no-proxy-arp route-lookup
!
object network INSIDE_NETS
nat (inside,outside) dynamic interface
!
nat (inside,outside) after-auto source dynamic any interface
router eigrp 1
network 192.168.0.0 255.255.255.0
network 192.168.1.0 255.255.255.0
network 192.168.30.0 255.255.255.0
passive-interface outside
!
route outside 0.0.0.0 0.0.0.0 1**.2*.1**.9 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
aaa-server RemoteUsers protocol ldap
max-failed-attempts 5
aaa-server RemoteUsers (inside) host 192.168.0.**
ldap-base-dn dc=***,dc=local
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password ***
ldap-login-dn cn=asa,OU=Service_Accounts,dc=***,dc=local
server-type auto-detect
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication login-history
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment terminal
subject-name CN=***.com
keypair godaddy.key
crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_TrustPoint0
certificate 7982675a0d1167b02cc714a67fd9eb0e
3082069b 30820583 a0030201 02021079 82675a0d 1167b02c c714a67f d9eb0e30
0d06092a 864886f7 0d01010b 05003081 8f310b30 09060355 04061302 4742311b
30190603 55040813 12477265 61746572 204d616e 63686573 74657231 10300e06
03550407 13075361 6c666f72 64311830 16060355 040a130f 53656374 69676f20
4c696d69 74656431 37303506 03550403 132e5365 63746967 6f205253 4120446f
6d61696e 2056616c 69646174 696f6e20 53656375 72652053 65727665 72204341
301e170d 31393032 30343030 30303030 5a170d32 31303230 33323335 3935395a
305f3121 301f0603 55040b13 18446f6d 61696e20 436f6e74 726f6c20 56616c69
64617465 64311430 12060355 040b130b 506f7369 74697665 53534c31 24302206
03550403 131b6669 72657761 6c6c2e6c 74636974 736f6c75 74696f6e 732e636f
6d308201 22300d06 092a8648 86f70d01 01010500 0382010f 00308201 0a028201
0100c4be 6a9a3592 a4ffb999 cbcdac6d 932ff467 d23c1a60 986f3be9 66d23fbe
5697350a 3d1ab43c 444d9365 8f5ee2c2 5be19a1b deed6d9a 132772cd 3809e099
c1dd93f0 880fb629 fd2ac9c1 ede7de6e 22caaa0c c8752f93 d2373d2e 53fb216b
c2de05e3 e1032c66 d4d5fdf8 4b1a50c4 b18a7745 b4bbbcea 35841297 2c0f152f
97ee347b 2c464309 cf93f9d3 867b9178 d0c137de a3904863 38ad3f04 901e56e0
8381417b e84ccb8d 09f53617 60f15ee3 9a4f2e73 256c69ab a3d50d7d f4d69384
123a9e15 dbe7cb8f 33f0a28d b3cbcdab 51c9d0f0 4e1c4a2c 1796e815 3e73756c
a7412a69 e4f0b066 a05fd702 711d1147 2ceb9e6f 75c343a4 fd7085a2 e30dd78f
64bd0203 010001a3 82032030 82031c30 1f060355 1d230418 30168014 8d8c5ec4
54ad8ae1 77e99bf9 9b05e1b8 018d61e1 301d0603 551d0e04 160414bc 373cb9bb
f3a63018 0120e4bf 0fd7ae1d e19ac130 0e060355 1d0f0101 ff040403 0205a030
0c060355 1d130101 ff040230 00301d06 03551d25 04163014 06082b06 01050507
03010608 2b060105 05070302 30490603 551d2004 42304030 34060b2b 06010401
b2310102 02073025 30230608 2b060105 05070201 16176874 7470733a 2f2f7365
63746967 6f2e636f 6d2f4350 53300806 0667810c 01020130 81840608 2b060105
05070101 04783076 304f0608 2b060105 05073002 86436874 74703a2f 2f637274
2e736563 7469676f 2e636f6d 2f536563 7469676f 52534144 6f6d6169 6e56616c
69646174 696f6e53 65637572 65536572 76657243 412e6372 74302306 082b0601
05050730 01861768 7474703a 2f2f6f63 73702e73 65637469 676f2e63 6f6d3047
0603551d 11044030 3e821b66 69726577 616c6c2e 6c746369 74736f6c 7574696f
6e732e63 6f6d821f 7777772e 66697265 77616c6c 2e6c7463 6974736f 6c757469
6f6e732e 636f6d30 82018006 0a2b0601 0401d679 02040204 82017004 82016c01
6a007700 bbd9dfbc 1f8a71b5 93942397 aa927b47 3857950a ab52e81a 90966436
8e1ed185 00000168 b9f72547 00000403 00483046 02210094 fedd2846 6cd2ad86
96e31a44 83b80220 d977dec5 18ffaa53 793b53d1 36526c02 21009ef2 355509fb
d6657c67 a313ce8c 2a0ce65c b3ad90f1 9146b73f 743b2cb4 4e2a0077 00449465
2eb0eece afc44007 d8a8fe28 c0dae682 bed8cb31 b53fd333 96b5b681 a8000001
68b9f725 8d000004 03004830 46022100 b8196e31 accfd846 8d75fc5e fa5036e1
931d14ef 74eda723 e1f5a208 4a1873d1 022100c5 d0d94c33 34be0c17 dc65866d
f4193cfe e96c7035 814dbc19 16e83b96 bf110300 76005cdc 4392fee6 ab4544b1
5e9ad456 e61037fb d5fa47dc a17394b2 5ee6f6c7 0eca0000 0168b9f7 25f30000
04030047 30450220 7b2976ed cbe3f058 139aefde e3cd204a 8848aa51 529328e9
3e1970f1 19a6118f 022100e8 d78056a8 7d06bd4f 14f27b58 4f8d97cc 53b23794
53be0ea9 b519deea 6af7ce30 0d06092a 864886f7 0d01010b 05000382 0101002a
5be10939 9dfb9d0b ddbf7049 9c6dd898 13b8901b 6dcc24fe 0dd6eb6b e3a5adf6
740ce5bd 0d47094d 863cfc49 0b6bd6b3 30e28c09 fd4af284 fe99dde4 c50b9f80
f00475af 04404622 89443f98 34538dd7 25c8b5c7 6d4872b7 7d291881 0c16d912
56c6ac1a 3567b8d8 2569e9e8 f38d9e90 c650c16a 6f527f9a 0cad311f 2325990f
cf21b196 346d3728 2a23da6a 179b8913 108a55b3 7f97f5ac 67dffc97 233a0b0a
c7fa8ca0 9fe82688 a4708791 8e25c048 19c83999 5c83876b 30192b55 5628c09d
ebd2af4c 5780c627 8746619c cf185099 7190f7d7 9f3768df 9a87df80 3bc45544
5f366edb 6e132cb5 2d94532f 48f2734f 61c029d5 5b51e490 97b9b76a fb501c
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
telnet timeout 5
ssh stricthostkeycheck
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 60
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access inside

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_TrustPoint0 outside
ssl trust-point ASDM_TrustPoint0 inside
webvpn
enable outside
anyconnect image disk0:/anyconnect-macos-4.5.03040-webdeploy-k9.pkg 1
anyconnect image disk0:/anyconnect-win-4.4.04030-webdeploy-k9.pkg 2
anyconnect profiles ***-Profile disk0:/ltc-profilenull.Unknown
anyconnect enable
tunnel-group-list enable
cache
disable
error-recovery disable
group-policy GroupPolicy_Employee internal
group-policy GroupPolicy_Employee attributes
wins-server value 192.168.0.**
dns-server value 192.168.0.**
vpn-simultaneous-logins 10
vpn-idle-timeout 9999
vpn-session-timeout none
vpn-tunnel-protocol ikev1 ssl-client ssl-clientless
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN-ACL
default-domain value ***.LOCAL
split-tunnel-all-dns disable
webvpn
anyconnect profiles value LTC-Profile type user
always-on-vpn profile-setting
dynamic-access-policy-record DfltAccessPolicy
dynamic-access-policy-record RemoteUsers1
description "Allow user if a member of RemoteUsers AD Group!"
priority 1
dynamic-access-policy-record RemoteUsers
description "Block user if not a member of RemoteUsers AD Group!"
user-message "You are not authorized to access the VPN. Please Contact Your Network Administator."
action terminate
priority 2
username *** password $sha512$5000$XQl11klY4cxxwWPLYQ5HNg==$j7cU1DizcN4NB23Uyosutw== pbkdf2
username *** password $sha512$5000$KBrOiJ2vtlNH4lFAgOhJBg==$VPAQTrvfsFocsHYTXI1adA== pbkdf2 privilege 15
username *** password $sha512$5000$WbITkfERWu3bD4TY/Z3O9w==$1yDBLOTKegjBb/0zC7QUSQ== pbkdf2
tunnel-group Employee type remote-access
tunnel-group Employee general-attributes
address-pool net-10
authentication-server-group RemoteUsers LOCAL
default-group-policy GroupPolicy_Employee
tunnel-group Employee webvpn-attributes
group-alias Employee enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect dns preset_dns_map
inspect icmp
inspect icmp error
class class-default
set connection decrement-ttl
policy-map type inspect dns migrated_dns_map_2
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:32a1254bfd7a17033f8b2432d50595dd
: end

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to Herald Sison

‎07-19-2019 10:12 AM

Thank you for posting the configuration. I do find several things in it to comment about.

- you have configured an access list for the outside interface. But it is not applied to the outside interface. So it is not being used. 

- you have included icmp and icmp error in the policy map and so they are being inspected. And therefore I believe that it does not matter that the access list is not applied to the outside interface. With icmp and icmp error being inspected I would expect that the error responses would be allowed.

- I suggest that the thresholds for icmp unreachable should be increased.

icmp unreachable rate-limit 1 burst-size 1

I found this in some Cisco documentation:  Increasing the rate limit, along with enabling the set connection decrement-ttl command in a service policy, is required to allow a traceroute through the ASA that shows the ASA as one of the hops.

Here is the link if you want more details

https://www.cisco.com/c/en/us/td/docs/security/asa/asa93/configuration/firewall/asa-firewall-cli/access-rules.html

- if increasing the threshold does not solve the issue then I wonder about the icmp rules you configure on the inside interface
icmp permit any inside
icmp permit any echo-reply inside

and wonder if you might also need

icmp permit any outside

 

HTH

 

Rick

HTH

Rick
0 Helpful

Go to solution
Herald Sison
Level 3
Level 3
In response to Richard Burts

‎07-21-2019 05:57 PM - edited ‎07-21-2019 05:58 PM

Hi Sir,

 

thank you for your advise. i will try all of the options you gave above and let you know what would be the outcome.

 

Thanks

0 Helpful

Go to solution
Herald Sison
Level 3
Level 3
In response to Richard Burts

‎07-21-2019 06:26 PM

HI Sir,

i have followed all the options given above but sill not getting good results for tracert from my computer through my firewall but i can get a result if i run traceroute inside the cli of ASA but this was running before i touched everything else and my goal is to get a tracerout from my computer and not from the CLI of ASA.


Here are the changes i made based on the link you gave and from your suggestions.

icmp unreachable rate-limit 50 burst-size 1
icmp permit any outside
icmp permit any echo-reply outside
icmp permit any inside
icmp permit any echo-reply inside


class-map global-class
match any
class global-class
set connection decrement-ttl

0 Helpful

Go to solution
Herald Sison
Level 3
Level 3
In response to Richard Burts

‎07-21-2019 08:26 PM

Hi Sir,

i finally made it run now. what i did is i pointed the access lists that i made for icmp to outside interface and tracert is now running on the computer side.

thank you sir so much,
0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to Herald Sison

‎07-22-2019 05:38 AM

Thank you for the update. Glad to know that you have it working. Thank you for confirming that the entries in the access list were required to get it to work. I believe some of the other changes were needed also, but the access list was one critical part of the solution. Thank you for marking this question as solved. This will help other participants in the community to identify discussions which have helpful information.

 

HTH

 

Rick

HTH

Rick
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card