access-list traceroute remark Allow traceroute

access-list traceroute extended permit icmp any any time-exceeded log 

access-list traceroute remark Allow traceroute

access-list traceroute extended permit icmp any any unreachable log

access-group traceroute in interface outside

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map 

  inspect ftp 

  inspect h323 h225 

  inspect h323 ras 

  inspect rsh 

  inspect rtsp 

  inspect esmtp 

  inspect sqlnet 

  inspect skinny  

  inspect sunrpc 

  inspect xdmcp 

  inspect sip  

  inspect netbios 

  inspect tftp 

  inspect ip-options 

  inspect icmp 

  inspect icmp error 

 class class-default

  user-statistics accounting

!

service-policy global_policy global

It worked perfect! Tested from Windows, MacOSX and a Cisco switch. Thank you! Had to add 'inspect icmp error' to get it to work properly.

hi Julio - 

So an acl with ttl-exceeded and time-exceeded match two different packets on a ASR1k.  One as a response from a MS host and the other from a Unix/Cisco host.  Both with the same reason for sending the icmp reply.

This one helped me as I was missing the access-group piece, this how my setup looks now.

access-list outside_IN extended permit icmp any any traceroute
access-list outside_IN extended permit icmp any any unreachable
access-list outside_IN extended permit icmp any any time-exceeded
...
access-group outside_IN in interface outside

...
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
class class-default
set connection decrement-ttl
...

Thank you Doran, you saved my day.

I was running ASA 5510 v9.1 and I was experiencing the same problem. I was not able to traceroute from the internal LAN interface. I have already done the second requirement:

* Allow ICMP time-exceeded inbound from outside.

And I was wondering what is happening? So when I saw your post I checked the first requirement and it appears that I have not defined an inspect rule for the outgoing ICPM traffic. So I added it and everything looks good.

Can you explain or give me a link with information why I need to inspect the ICMP traffic?

Thank you again and have a nice day!

Sure,

The ICMP inspection allows the ASA to keep track of the ICMP connections built *through* the ASA. In your case, if you only had the ACL the TTL traffic is allowed in from the outside, but the ASA did not keep track of the connection, so the traffic was still denied.

In the other case, people may have had the ICMP inspection configuration so the ASA keeps track of the ICMP connections built through the ASA, but that command only dynamically allows ICMP echo replies back in, not the TTL expired, so it gets denied again in this scenario.

You need both pieces for the ICMP based traceroute so that you are allowed time expired traffic in, but you need the ASA also to know the details of the ICMP connection through the ASA.

I hope that helps. We can get much more detailed but I don't have time at the moment.

Wonderful !
Thank you for the explanation.

This works fine for getting trace route to show when tracing traffic from the inside interface to the outside interface but what about DMZ interfaces?

I have several firewalls some of which have several DMZ area's hanging off them.  Some of these firewalls have an outside connection and some do not.  It would be very beneficial for traceroute to show the firewall in its output.  I have added a class default and set connection decrement-ttl which worked when tracing internet bound traffic but not DMZ bound traffic.  When trying to trace DMZ bound traffic I'm not seeing anything getting denied and have ACL statements to allow echo, echo-reply, time-exceeded, and unreachables.  Does anyone know if it's possible to get the firewall to show when tracing traffic destined to a DMZ and not the outside?

H:\>tracert 8.8.8.8

Tracing route to 8.8.8.8 over a maximum of 30 hops

  1     3 ms     1 ms     1 ms  10.1.1.254
  2     2 ms     1 ms     1 ms  10.20.0.1       <- Firewall inside ip
  3     3 ms     1 ms     1 ms  1*.***.***.**2
  4    ^C
 

C:\>tracert 10.10.10.5

Tracing route to 10.10.10.5
over a maximum of 30 hops:

  1     2 ms     1 ms     1 ms  10.1.1.254
  2     *        *        *     Request timed out.    <-  firewall doesn't show
  3     2 ms     1 ms     1 ms  10.10.10.5

Firewall:

icmp unreachable rate-limit 10 burst-size 5
icmp permit any time-exceeded outside
icmp permit any unreachable outside
icmp permit any echo-reply outside
icmp deny any outside

access-list acl_out extended permit icmp any any unreachable
access-list acl_out extended permit icmp any any time-exceeded

access-list acl_in extended permit icmp 10.1.1.0 255.255.255.0 10.10.10.0 255.255.255.0 echo

access-list acl_in extended permit icmp 10.1.1.0 255.255.255.0 10.10.10.0 255.255.255.0 echo-reply

access-list dmz5_access_in extended permit icmp 10.10.10.0 255.255.255.0 10.1.1.0 255.255.255.0 echo-reply
access-list dmz5_access_in extended permit icmp 10.10.10.0 255.255.255.0 10.1.1.0 255.255.255.0 unreachable
access-list dmz5_access_in extended permit icmp 10.10.10.0 255.255.255.0 10.1.1.0 255.255.255.0 time-exceeded

class-map CLASS_DEFAULT
 match any
class-map inspection_default
 match default-inspection-traffic

policy-map global_policy
 class inspection_default
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect sunrpc
  inspect xdmcp
  inspect netbios
  inspect dns
  inspect ip-options
  inspect snmp
  inspect icmp
  inspect tftp
class CLASS_DEFAULT
  set connection decrement-ttl

This was very helpfuly.

>/Shane