03-12-2013 09:13 PM - edited 03-11-2019 06:13 PM
We are running version 9.1 of ASA code. I am having trouble allowing traceroute through the ASA. I don't need the ASA to be a hop in that traceroute. I have issue the fixup commands for icmp and icmp error. I have allowed ICMP, Echo, Echo Reply, time-exceeded, and unreachables. But I still can't traceroute through the ASA. If I traceroute on the ASA and source from the outside interface it works, but not from the inside interface. Looking at the logs I don't see anything indicating a problem. Ping works, just not traceroute. I have tested from both a MAC and a PC since I know that both uses different methods when performing a traceroute. Both are unable to traceroute through the ASA.
03-12-2013 09:28 PM
Try
class class_default set connection decrement-ttl
04-01-2016 08:36 AM
HI,
I have configured policy , inspection as suggested... when i ping it is working , but trace is not working , when i check in packet tracer .. Packet is getting denined on NAT Rule. but same NAT rule is working fine for user traffice and ping
08-02-2018 05:31 AM
You also have to allow ICMP from the outside in.
03-12-2013 10:20 PM
Hello Justin,
Hope you are having a great day.
First of all lets set the basics:
Linux and Cisco devices will send UDP packets to a pseudorandom port to build the network map, the reply will be an UDP ICMP Port-Unreachable
Windows use ICMP messages,with a TTL of 1 and then incrementing hop by hop. the reply will be a TTL Exceeded.
So Far so good right.
So on the Scenario you are showing us we can see the traceroute working as we can reach the destination but looks like some devices responses are not reaching us.. Why is that?
Well that is because we have the ASA in place and those particular ICMP message codes are not permited by default
So let's do the following:
access-list Julio permit icmp any any eq time-exceeded
access-list Julio permit icmp any any eq unreachable
access-group Julio in interface outside
Hope that I could help
Julio Carvajal
Advanced Security Trainer
03-28-2013 12:47 PM
I have the same issue on a 5545 running 9.1. I followed the steps outlined here, but it doesn't work. I've succesfully done this before on older ASA's running 8.x code, so I know it works. The ACL on the outside interface is there, ICMP inspection is turned on, but traceroutes from inside to outside show "Request timed out". Any ideas?
Thanks.
03-28-2013 12:50 PM
Yeah I still have the same problem. I can't figure it out. I have ICMP fixup on (inspection) and the proper ACLs but still I only get a "request timed out"
03-28-2013 12:56 PM
Hello Justin,
I will need to see the configuration as it does not make sense, it should work
Regards
03-28-2013 01:00 PM
Alright, i'll post the ACLs and the policy-map that shows the inspections later today/tonight.
01-29-2014 03:06 AM
Any Update regarding this ??
I am having same issue with ASA v 9.1(2)
05-10-2018 07:14 AM
05-10-2018 07:22 AM
Hi rkusak ,
Did you fix it ?
I am facing same problem .
Traceroute doesn't work .
Only requests timed out.
ICMP works fine.
Tried everything.
08-21-2014 11:53 AM
Hi, I tried but it is not working :(
Please any help
access-list outside _in extended permit icmp any any time-exceeded
access-list outside _in extended permit icmp any any unreachable
access-list outside _in extended permit icmp any any traceroute
outside _in in interface outside
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
inspect ftp
class class-default
set connection decrement-ttl
When trying I got this:
CORE_4500#traceroute 4.2.2.2
Type escape sequence to abort.
Tracing the route to 4.2.2.2
1 10.110.0.252 0 msec 0 msec 0 msec
2 4.2.2.2 4 msec 0 msec 0 msec
3 4.2.2.2 4 msec 0 msec 4 msec
4 4.2.2.2 20 msec 24 msec 20 msec
5 4.2.2.2 28 msec 24 msec 24 msec
6 4.2.2.2 24 msec 20 msec 24 msec
7 4.2.2.2 28 msec 28 msec 24 msec
8 4.2.2.2 24 msec 24 msec 24 msec
9 4.2.2.2 36 msec 32 msec 32 msec
10 * 32 msec 28 msec
11 * * *
12 4.2.2.2 36 msec 32 msec 36 msec
13 4.2.2.2 32 msec 36 msec 36 msec
14 4.2.2.2 36 msec 36 msec 36 msec
Its shows same IP for all hops
08-21-2014 11:55 AM
You have a routing issue. Traceroute is working.
08-21-2014 11:57 AM
Nop, I was missing inspect icmp error
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide