Solved: Re: Can't traceroute through ASA - 9.8

smartnet1234 · ‎04-28-2018

Hi, i have tried everything provided on this platform related to this issue but i still can not traceroute through ASA. Only the last, or sometimes the second last hop is shown. Please help as i have done everything i could.

We have two security-level 100 interfaces namely 'inside' and 'wan'. When the users from inside tries to traceroute to wan users, the traceroute hops are never seen until the last hop.

Configuration and traceroute screen shots are attached.

It used to show traceroute of 8.8.8.8 before but now not even that is shown through trace.

Marius Gunnerud · ‎04-28-2018

Have you verified that traceroute is not being dropped in FirePOWER?

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

Marius Gunnerud · ‎04-28-2018

You are applying the access list to the interfaces that are not defined in the routing configuration

access-list outside_access_in extended permit icmp any any time-exceeded
access-list outside_access_in extended permit icmp any any traceroute
access-list outside_access_in extended permit icmp any any unreachable

access-group outside_access_in in interface cybernet
access-group outside_access_in in interface multinet

route wan 192.168.64.0 255.255.254.0 172.16.20.5 1

--
Please remember to select a correct answer and rate helpful posts

fayk1988 · ‎04-28-2018

But, i have applied the following to the 'inside' and 'wan'. Shouldn't that be enough to get traceroute to work between them?

access-list inside_access_in extended permit ip any any

access-group inside_access_in in interface inside
access-group inside_access_in in interface wan

fayk1988 · ‎04-28-2018

I cut the following route configuration from the one i attached for hiding my IP addresses. The below route configuration is correct. Dont worry aboue the default routes. They are there. Im worried about 'wan' and 'inside' interfaces because between them the traceroute is not working.

route cybernet 0.0.0.0 0.0.0.0 x.x.x.x 1
route multinet 0.0.0.0 0.0.0.0 x.x.x.x 1
route wan 10.0.0.0 255.0.0.0 172.16.20.5 1
route wan 172.16.20.0 255.255.255.252 172.16.20.5 1
route wan 192.168.8.0 255.255.252.0 172.16.20.5 1
route wan 192.168.64.0 255.255.254.0 172.16.20.5 1
route wan 192.168.66.0 255.255.255.0 172.16.20.5 1
route wan 192.168.67.0 255.255.255.0 172.16.20.5 1
route wan 192.168.68.0 255.255.255.0 172.16.20.5 1
route wan 192.168.69.0 255.255.255.0 172.16.20.5 1
route wan 192.168.70.0 255.255.255.0 172.16.20.5 1
route wan 192.168.90.0 255.255.255.0 172.16.20.5 1

Marius Gunnerud · ‎04-28-2018

Have you verified that traceroute is not being dropped in FirePOWER?

--
Please remember to select a correct answer and rate helpful posts

Florin Barhala · ‎04-30-2018

What's the fastest/recommended way to check this?

Marius Gunnerud · ‎04-30-2018

You could log into the FirePOWER cli and run the command system support firewall-engine-debug, enter server and client IP, leave all else blank. then run a test. You might also be able to see this under the Analysis tab if you search for the spesified initiator IP under Connection events.

--
Please remember to select a correct answer and rate helpful posts

smartnet1234 · ‎04-30-2018

Yes, it was getting dropped at the SFR. Problem resolved.