Cisco ASA Traceroute OUT-IN

DEV1389 · ‎01-16-2022

Hallo ,

I am tracing from outside to inside with the following config but am not able to trace it from outside, but it is working from inside-Outside.

class-map inspection_default
match default-inspection-traffic
class-map TRACE-C
match port udp range 33434 33464
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect ip-options
inspect netbios
inspect rtsp
inspect sunrpc
inspect tftp
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect esmtp
inspect sqlnet
inspect sip
inspect skinny
inspect icmp
inspect icmp error
class TRACE-C
set connection decrement-ttl
class class-default
set connection decrement-ttl
inspect icmp

ciscoasa# show running-config access-list
access-list OUTIN extended permit icmp any any log
access-list OUTIN extended permit icmp any any time-exceeded log
access-list OUTIN extended permit icmp any any unreachable
access-list OUTIN extended permit icmp any any traceroute
access-list OUTIN extended permit icmp any any echo
access-list OUTIN extended permit icmp any any echo-reply
ciscoasa# show running-config access-g
ciscoasa# show running-config access-group
access-group OUTIN in interface outside
ciscoasa#

**************************************

CoreRtr#ping 172.16.30.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.30.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 17/26/44 ms
CoreRtr#traceroute 172.16.30.1
Type escape sequence to abort.
Tracing the route to 172.16.30.1
VRF info: (vrf in name/id, vrf out name/id)
1 172.16.10.1 24 msec 11 msec 6 msec
2 172.16.20.3 20 msec 30 msec 27 msec
3 172.16.30.1 25 msec 68 msec *
CoreRtr#

*************************

Outside #ping 10.10.10.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 21/33/43 ms
Outside# traceroute 10.10.10.5
Type escape sequence to abort.
Tracing the route to 10.10.10.5
VRF info: (vrf in name/id, vrf out name/id)
1 172.16.30.2 21 msec 7 msec 5 msec
2 * * *
3 * * *

balaji.bandi · ‎01-16-2022

what is the ASA Model and code running - Try below on global_policy.

asa-bb(config)# policy-map global_policy
asa-bb(config-pmap)# class class-default
asa-bb(config-pmap-c)# set connection decrement-ttl

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

DEV1389 · ‎01-16-2022

Hi ,

Already configured, in class-default.

ciscoasa(config)# show ver

Cisco Adaptive Security Appliance Software Version 9.17(1)
SSP Operating System Version 2.11(1.154)
Device Manager Version 7.17(1)

Compiled on Tue 30-Nov-21 17:33 GMT by builders
System image file is "boot:/asa9171-smp-k8.bin"
Config file at boot was "startup-config"

ciscoasa up 2 hours 6 mins
failover cluster up 2 hours 6 mins
Start-up time 14 secs

Hardware: ASAv, 2048 MB RAM, CPU Xeon E5 series 2600 MHz,

balaji.bandi · ‎01-16-2022

i only see other class not in default

class TRACE-C
set connection decrement-ttl
class class-default
set connection decrement-ttl
inspect icmp

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

MHM Cisco World · ‎01-16-2022

first try ping, is it success ?