Solved: Re: Confusing traceroute

anowell · ‎05-12-2011

We just installed a ASA this past weekend and now when we traceroute to a destination on the internet it does not show each hop, only the destination repeatedly.

This is tracing from a device on the "inside" I get the same results when tracing from the ASA. Any ideas what would cause this?

C:\Documents and Settings\HEN>tracert 8.8.8.8

Tracing route to google-public-dns-a.google.com [8.8.8.8]
over a maximum of 30 hops:

1    <1 ms    <1 ms    <1 ms 10.19.1.1
2    <1 ms    <1 ms    <1 ms google-public-dns-a.google.com [8.8.8.8]
3     1 ms     1 ms     1 ms google-public-dns-a.google.com [8.8.8.8]
4     4 ms     3 ms     3 ms google-public-dns-a.google.com [8.8.8.8]
5     4 ms     4 ms     4 ms google-public-dns-a.google.com [8.8.8.8]
6    13 ms    13 ms    13 ms google-public-dns-a.google.com [8.8.8.8]
7    13 ms    13 ms    51 ms google-public-dns-a.google.com [8.8.8.8]
8    13 ms    14 ms    13 ms google-public-dns-a.google.com [8.8.8.8]
9    14 ms    14 ms    17 ms google-public-dns-a.google.com [8.8.8.8]
10    14 ms    14 ms    14 ms google-public-dns-a.google.com [8.8.8.8]

Trace complete.

Roman Rodichev · ‎05-12-2011

Try this:

policy-map global_policy

class class-default

set connection decrement-ttl

I usually put this config when the customer doesn't care about allowing full ICMP/traceroute traffic through firewall

object-group icmp-type ICMPGroup

icmp-object echo-reply

icmp-object time-exceeded

icmp-object traceroute

icmp-object unreachable

!

access-list outside_inbound extended permit icmp any any object-group ICMPGroup

!

access-group outside_inbound in interface outside

!

policy-map global_policy

class inspection_default

inspect icmp

inspect icmp error

class class-default

set connection decrement-ttl

!

service-policy global_policy global

View solution in original post

Roman Rodichev · ‎05-12-2011

Try this:

policy-map global_policy

class class-default

set connection decrement-ttl

I usually put this config when the customer doesn't care about allowing full ICMP/traceroute traffic through firewall

object-group icmp-type ICMPGroup

icmp-object echo-reply

icmp-object time-exceeded

icmp-object traceroute

icmp-object unreachable

!

access-list outside_inbound extended permit icmp any any object-group ICMPGroup

!

access-group outside_inbound in interface outside

!

policy-map global_policy

class inspection_default

inspect icmp

inspect icmp error

class class-default

set connection decrement-ttl

!

service-policy global_policy global

anowell · ‎05-12-2011

That did the trick.

I first applied the following but still got the same results.

policy-map global_policy

class class-default

set connection decrement-ttl

I then went back and applied the following to my global policy and it fixed the issue. I did not add "inspect icmp" because it was already configured.

class inspection_default

inspect icmp error

Thanks so much!!! :-)

Roman Rodichev · ‎05-12-2011

Great!!