Re: Allow Traceroute through ASA

Justin Westover · ‎03-12-2013

We are running version 9.1 of ASA code. I am having trouble allowing traceroute through the ASA. I don't need the ASA to be a hop in that traceroute. I have issue the fixup commands for icmp and icmp error. I have allowed ICMP, Echo, Echo Reply, time-exceeded, and unreachables. But I still can't traceroute through the ASA. If I traceroute on the ASA and source from the outside interface it works, but not from the inside interface. Looking at the logs I don't see anything indicating a problem. Ping works, just not traceroute. I have tested from both a MAC and a PC since I know that both uses different methods when performing a traceroute. Both are unable to traceroute through the ASA.

jocamare · ‎03-12-2013

Try

class class_default
  set connection decrement-ttl

Makarand Lad · ‎04-01-2016

HI,

I have configured policy , inspection as suggested... when i ping it is working , but trace is not working , when i check in packet tracer .. Packet is getting denined on NAT Rule. but same NAT rule is working fine for user traffice and ping

Alex Pfeil · ‎08-02-2018

You also have to allow ICMP from the outside in.

Julio Carvajal · ‎03-12-2013

Hello Justin,

Hope you are having a great day.

First of all lets set the basics:

Linux and Cisco devices will send UDP packets to a pseudorandom port to build the network map, the reply will be an UDP ICMP Port-Unreachable

Windows use ICMP messages,with a TTL of 1 and then incrementing hop by hop. the reply will be a TTL Exceeded.

So Far so good right.

So on the Scenario you are showing us we can see the traceroute working as we can reach the destination but looks like some devices responses are not reaching us.. Why is that?

Well that is because we have the ASA in place and those particular ICMP message codes are not permited by default

So let's do the following:

access-list Julio permit icmp any any eq time-exceeded

access-list Julio permit icmp any any eq unreachable

access-group Julio in interface outside

Hope that I could help

Julio Carvajal

Advanced Security Trainer

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

rkusak · ‎03-28-2013

I have the same issue on a 5545 running 9.1. I followed the steps outlined here, but it doesn't work. I've succesfully done this before on older ASA's running 8.x code, so I know it works. The ACL on the outside interface is there, ICMP inspection is turned on, but traceroutes from inside to outside show "Request timed out". Any ideas?

Thanks.

Justin Westover · ‎03-28-2013

Yeah I still have the same problem. I can't figure it out. I have ICMP fixup on (inspection) and the proper ACLs but still I only get a "request timed out"

Julio Carvajal · ‎03-28-2013

Hello Justin,

I will need to see the configuration as it does not make sense, it should work

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Justin Westover · ‎03-28-2013

Alright, i'll post the ACLs and the policy-map that shows the inspections later today/tonight.

tarek issa · ‎01-29-2014

Any Update regarding this ??

I am having same issue with ASA v 9.1(2)

Mukund M Deshpande · ‎05-10-2018

Hi Justin , DID you fix it.

I seem to be running into the same problem .

ICMP works fine. Traceroute doesnt.
I only get request timed out

Mukund M Deshpande · ‎05-10-2018

Hi rkusak ,

Did you fix it ?

I am facing same problem .

Traceroute doesn't work .

Only requests timed out.

ICMP works fine.

Tried everything.

rparrat666 · ‎08-21-2014

Hi, I tried but it is not working :(

Please any help

access-list outside _in extended permit icmp any any time-exceeded
access-list outside _in extended permit icmp any any unreachable
access-list outside _in extended permit icmp any any traceroute

outside _in in interface outside

class-map inspection_default
match default-inspection-traffic

policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
inspect ftp
class class-default
set connection decrement-ttl

When trying I got this:

CORE_4500#traceroute 4.2.2.2
Type escape sequence to abort.
Tracing the route to 4.2.2.2
1 10.110.0.252 0 msec 0 msec 0 msec
2 4.2.2.2 4 msec 0 msec 0 msec
3 4.2.2.2 4 msec 0 msec 4 msec
4 4.2.2.2 20 msec 24 msec 20 msec
5 4.2.2.2 28 msec 24 msec 24 msec
6 4.2.2.2 24 msec 20 msec 24 msec
7 4.2.2.2 28 msec 28 msec 24 msec
8 4.2.2.2 24 msec 24 msec 24 msec
9 4.2.2.2 36 msec 32 msec 32 msec
10 * 32 msec 28 msec
11 * * *
12 4.2.2.2 36 msec 32 msec 36 msec
13 4.2.2.2 32 msec 36 msec 36 msec
14 4.2.2.2 36 msec 36 msec 36 msec

Its shows same IP for all hops

Joe Doran · ‎08-21-2014

You have a routing issue. Traceroute is working.

rparrat666 · ‎08-21-2014

Nop, I was missing inspect icmp error