Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
371
Views
0
Helpful
1
Replies

ASA Traceroute

jay_7301
Level 1
Level 1

‎01-19-2018 02:50 PM - edited ‎02-21-2020 07:10 AM

Hi,

 

I'm unable to traceroute through a CISCO ASA 5505. We want to be able to trace to websites for diagnostic purposes for example 8.8.8.8. The following commands we currently have on the firewall are

 

access-list outside_in extended permit icmp any any time-exceeded
access-list outside extended permit icmp any host (outside public ip ) time-exceeded
icmp unreachable rate-limit 1 burst-size 1
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
inspect icmp

 

Cisco Adaptive Security Appliance Software Version 9.1(7)4

 

tracing from the asa sourcing from the outside interface is successful, however tracing from the internal network isn't

 

Any recommendations would be great

 

Thanks

Labels:
0 Helpful
1 Reply 1

Marvin Rhoads
Hall of Fame
Hall of Fame

‎01-19-2018 05:57 PM

Paul Stewart wrote a blog post a number of years ago that's still valid:

 

http://www.packetu.com/2009/10/09/traceroute-through-the-asa/

 

From what you posted you should also include decrement-ttl at a minimum. If that doesn't fix it, tell us more specifically what failure you are seeing and we can go from there.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card