04-28-2018 12:31 AM - edited 02-21-2020 07:40 AM
Hi, i have tried everything provided on this platform related to this issue but i still can not traceroute through ASA. Only the last, or sometimes the second last hop is shown. Please help as i have done everything i could.
We have two security-level 100 interfaces namely 'inside' and 'wan'. When the users from inside tries to traceroute to wan users, the traceroute hops are never seen until the last hop.
Configuration and traceroute screen shots are attached.
It used to show traceroute of 8.8.8.8 before but now not even that is shown through trace.
Solved! Go to Solution.
04-28-2018 12:36 PM
Have you verified that traceroute is not being dropped in FirePOWER?
04-28-2018 12:58 AM
You are applying the access list to the interfaces that are not defined in the routing configuration
access-list outside_access_in extended permit icmp any any time-exceeded
access-list outside_access_in extended permit icmp any any traceroute
access-list outside_access_in extended permit icmp any any unreachable
access-group outside_access_in in interface cybernet
access-group outside_access_in in interface multinet
route wan 192.168.64.0 255.255.254.0 172.16.20.5 1
04-28-2018 02:14 AM
But, i have applied the following to the 'inside' and 'wan'. Shouldn't that be enough to get traceroute to work between them?
access-list inside_access_in extended permit ip any any
access-group inside_access_in in interface inside
access-group inside_access_in in interface wan
04-28-2018 02:19 AM
I cut the following route configuration from the one i attached for hiding my IP addresses. The below route configuration is correct. Dont worry aboue the default routes. They are there. Im worried about 'wan' and 'inside' interfaces because between them the traceroute is not working.
route cybernet 0.0.0.0 0.0.0.0 x.x.x.x 1
route multinet 0.0.0.0 0.0.0.0 x.x.x.x 1
route wan 10.0.0.0 255.0.0.0 172.16.20.5 1
route wan 172.16.20.0 255.255.255.252 172.16.20.5 1
route wan 192.168.8.0 255.255.252.0 172.16.20.5 1
route wan 192.168.64.0 255.255.254.0 172.16.20.5 1
route wan 192.168.66.0 255.255.255.0 172.16.20.5 1
route wan 192.168.67.0 255.255.255.0 172.16.20.5 1
route wan 192.168.68.0 255.255.255.0 172.16.20.5 1
route wan 192.168.69.0 255.255.255.0 172.16.20.5 1
route wan 192.168.70.0 255.255.255.0 172.16.20.5 1
route wan 192.168.90.0 255.255.255.0 172.16.20.5 1
04-28-2018 12:36 PM
Have you verified that traceroute is not being dropped in FirePOWER?
04-30-2018 12:19 AM
04-30-2018 12:26 AM
You could log into the FirePOWER cli and run the command system support firewall-engine-debug, enter server and client IP, leave all else blank. then run a test. You might also be able to see this under the Analysis tab if you search for the spesified initiator IP under Connection events.
04-30-2018 04:32 AM
Yes, it was getting dropped at the SFR. Problem resolved.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: