cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

58100
Views
65
Helpful
26
Replies
Justin Westover
Beginner

Allow Traceroute through ASA

We are running version 9.1 of ASA code. I am having trouble allowing traceroute through the ASA. I don't need the ASA to be a hop in that traceroute. I have issue the fixup commands for icmp and icmp error. I have allowed ICMP, Echo, Echo Reply, time-exceeded, and unreachables. But I still can't traceroute through the ASA. If I traceroute on the ASA and source from the outside interface it works, but not from the inside interface. Looking at the logs I don't see anything indicating a problem. Ping works, just not traceroute. I have tested from both a MAC and a PC since I know that both uses different methods when performing a traceroute. Both are unable to traceroute through the ASA.

26 REPLIES 26
jocamare
Enthusiast

Try

class class_default
  set connection decrement-ttl

HI,

I have configured policy , inspection as suggested... when i ping it is working , but trace is not working , when i check in packet tracer .. Packet is getting denined on NAT Rule. but same NAT rule is working fine for user traffice and ping

You also have to allow ICMP from the outside in.

Julio Carvajal
Advisor

Hello Justin,

Hope you are having a great day.

First of all lets set the basics:

Linux and Cisco devices will send UDP packets  to a pseudorandom port to build the network map, the reply will be an UDP ICMP Port-Unreachable

Windows use ICMP messages,with a TTL of 1 and then incrementing hop by hop. the reply will be a TTL Exceeded.

So Far so good right.

So on the Scenario you are showing us we can see the traceroute working as we can reach the destination but looks like some devices responses are not reaching us.. Why is that?

Well that is because we have the ASA in place and those particular ICMP message codes are not permited by default

So let's do the following:

access-list Julio permit icmp any any eq time-exceeded

access-list Julio permit icmp any any eq unreachable

access-group Julio in interface outside

Hope that I could help

Julio Carvajal

Advanced Security Trainer

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

I have the same issue on a 5545 running 9.1. I followed the steps outlined here, but it doesn't work. I've succesfully done this before on older ASA's running 8.x code, so I know it works. The ACL on the outside interface is there, ICMP inspection is turned on, but traceroutes from inside to outside show "Request timed out". Any ideas?

Thanks.

Yeah I still have the same problem. I can't figure it out. I have ICMP fixup on (inspection) and the proper ACLs but still I only get a "request timed out"

Hello Justin,

I will need to see the configuration as it does not make sense, it should work

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Alright, i'll post the ACLs and the policy-map that shows the inspections later today/tonight.

Any Update regarding this ??

I am having same issue with ASA v 9.1(2)

Hi Justin , DID you fix it.

I seem to be running into the same problem .

ICMP works fine. Traceroute doesnt.
I only get request timed out

Hi rkusak ,

 

Did you fix it ?

 

I am facing same problem .

 

Traceroute doesn't work .

 

Only requests timed out.

 

ICMP works fine.

 

Tried everything.

 

Hi, I tried but it is not working :(

 

Please any help


access-list outside _in extended permit icmp any any time-exceeded
access-list outside _in extended permit icmp any any unreachable
access-list outside _in extended permit icmp any any traceroute

 

outside _in in interface outside

 

class-map inspection_default
 match default-inspection-traffic

policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect icmp
  inspect ftp
 class class-default
  set connection decrement-ttl

 

When trying I got this:

 

CORE_4500#traceroute 4.2.2.2
Type escape sequence to abort.
Tracing the route to 4.2.2.2
  1 10.110.0.252 0 msec 0 msec 0 msec
  2 4.2.2.2 4 msec 0 msec 0 msec
  3 4.2.2.2 4 msec 0 msec 4 msec
  4 4.2.2.2 20 msec 24 msec 20 msec
  5 4.2.2.2 28 msec 24 msec 24 msec
  6 4.2.2.2 24 msec 20 msec 24 msec
  7 4.2.2.2 28 msec 28 msec 24 msec
  8 4.2.2.2 24 msec 24 msec 24 msec
  9 4.2.2.2 36 msec 32 msec 32 msec
 10  *  32 msec 28 msec
 11  *  *  *
 12 4.2.2.2 36 msec 32 msec 36 msec
 13 4.2.2.2 32 msec 36 msec 36 msec
 14 4.2.2.2 36 msec 36 msec 36 msec

 

Its shows same IP for all hops

You have a routing issue. Traceroute is working.

Nop, I was missing inspect icmp error

Content for Community-Ad