Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
583
Views
5
Helpful
1
Replies

ASA traceroute return traffic (hops)

gbudesheim
Beginner
Beginner

‎12-26-2013 01:28 PM - edited ‎03-11-2019 08:22 PM

I currently am trying to set up an ACL to allow only type 11 ICMP messages back through the outside interface of our ASA using specific hosts and destination addresses.  Currently I have two object groups set up with internal address (object group 1) and external specified hosts (internet).  Also my global policies are set to allow icmp traffic to be inspected.  The issue im trying to resolve is when I trace to an internet site www.yahoo.com after leaving the ASA it starts to time out.

results and configs below

C:\Users>tracert www.yahoo.com

Tracing route to ds-any-fp3-real.wa1.b.yahoo.com [98.139.183.24]

over a maximum of 30 hops:

  1    <1 ms    <1 ms    <1 ms  x.x.x.x.

  2    <1 ms    <1 ms    <1 ms x.x.x.x.

  3     1 ms    <1 ms    <1 ms x.x.x.x.

  4    <1 ms    <1 ms    <1 ms x.x.x.x.

  5     1 ms     2 ms     1 ms x.x.x.x.

  6    13 ms     5 ms     4 ms x.x.x.x.

  7     9 ms     8 ms     8 ms x.x.x.x.

  8     *        *        *     Request timed out.

  9     *        *        *     Request timed out.

10     *        *        *     Request timed out.

11     *        *        *     Request timed out.

12     *        *        *     Request timed out.

13     *        *        *     Request timed out.

14     *        *        *     Request timed out.

15     *        *        *     Request timed out.

16     *        *        *     Request timed out.

17     *        *        *     Request timed out.

18     *        *        *     Request timed out.

19     *        *        *     Request timed out.

20     *        *        *     Request timed out.

21     *        *        *     Request timed out.

22     *        *        *     Request timed out.

23     *        *        *     Request timed out.

24     *        *        *     Request timed out.

25     *        *        *     Request timed out.

26     *        *        *     Request timed out.

27     *        *        *     Request timed out.

28     *        *        *     Request timed out.

29    36 ms     *        *     ir2.fp.vip.bf1.yahoo.com [98.139.183.24]

30   130 ms    98 ms    66 ms  ir2.fp.vip.bf1.yahoo.com [98.139.183.24]

object-group network objectgroup1

description -- these are the source addresses

network-object xx.xx.0.0 255.255.0.0

object-group network objectgroup2

description -- external hosts

network-object host xx.xx.xx.xx

network-object host xx.xx.xx.xx

access-list acl_outside extended permit icmp object-group objectgroup1 object-group objectgroup2 eq time-exceeded

class-map inspection_default

match default-inspection-traffic

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect ip-options

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip

  inspect xdmcp

  inspect icmp

How can I have the hosts in between show

Labels:
0 Helpful
1 Reply 1

Maykol Rojas
Cisco Employee
Cisco Employee