We are running version 9.1 of ASA code. I am having trouble allowing traceroute through the ASA. I don't need the ASA to be a hop in that traceroute. I have issue the fixup commands for icmp and icmp error. I have allowed ICMP, Echo, Echo Reply, time-exceeded, and unreachables. But I still can't traceroute through the ASA. If I traceroute on the ASA and source from the outside interface it works, but not from the inside interface. Looking at the logs I don't see anything indicating a problem. Ping works, just not traceroute. I have tested from both a MAC and a PC since I know that both uses different methods when performing a traceroute. Both are unable to traceroute through the ASA.
I have configured policy , inspection as suggested... when i ping it is working , but trace is not working , when i check in packet tracer .. Packet is getting denined on NAT Rule. but same NAT rule is working fine for user traffice and ping
I have the same issue on a 5545 running 9.1. I followed the steps outlined here, but it doesn't work. I've succesfully done this before on older ASA's running 8.x code, so I know it works. The ACL on the outside interface is there, ICMP inspection is turned on, but traceroutes from inside to outside show "Request timed out". Any ideas?
Yeah I still have the same problem. I can't figure it out. I have ICMP fixup on (inspection) and the proper ACLs but still I only get a "request timed out"
I will need to see the configuration as it does not make sense, it should work
Hi rkusak ,
Did you fix it ?
I am facing same problem .
Traceroute doesn't work .
Only requests timed out.
ICMP works fine.
Hi, I tried but it is not working :(
Please any help
access-list outside _in extended permit icmp any any time-exceeded
access-list outside _in extended permit icmp any any unreachable
access-list outside _in extended permit icmp any any traceroute
outside _in in interface outside
inspect dns preset_dns_map
inspect h323 h225
inspect h323 ras
set connection decrement-ttl
When trying I got this:
Type escape sequence to abort.
Tracing the route to 22.214.171.124
1 10.110.0.252 0 msec 0 msec 0 msec
2 126.96.36.199 4 msec 0 msec 0 msec
3 188.8.131.52 4 msec 0 msec 4 msec
4 184.108.40.206 20 msec 24 msec 20 msec
5 220.127.116.11 28 msec 24 msec 24 msec
6 18.104.22.168 24 msec 20 msec 24 msec
7 22.214.171.124 28 msec 28 msec 24 msec
8 126.96.36.199 24 msec 24 msec 24 msec
9 188.8.131.52 36 msec 32 msec 32 msec
10 * 32 msec 28 msec
11 * * *
12 184.108.40.206 36 msec 32 msec 36 msec
13 220.127.116.11 32 msec 36 msec 36 msec
14 18.104.22.168 36 msec 36 msec 36 msec
Its shows same IP for all hops