Solved: Enable traceroute on ASA

Tupe_kunal · ‎02-10-2015

Hi,

Below is the config on one of my ASA. However, i am unable to traceroute. What could be the issue.

access-group outside_access_in in interface OUTSIDE
access-group INSIDE in interface inside
access-group DMZ in interface DMZ

#sh run access-list outside_access_in | i icmp
access-list acronisbosrtr1_access_in extended permit icmp any any object-group DM_INLINE_ICMP_2

#sh access-list outside_access_in | i icmp
access-list outside_access_in line 1 extended permit icmp any any object-group DM_INLINE_ICMP_2 (hitcnt=4) 0xcbc18759
access-list outside_access_in line 1 extended permit icmp any any echo (hitcnt=4) 0x30be5688
access-list outside_access_in line 1 extended permit icmp any any echo-reply (hitcnt=175) 0x316fe298
access-list outside_access_in line 1 extended permit icmp any any traceroute (hitcnt=0) 0x6b47fb2a
access-list outside_access_in line 1 extended permit icmp any any unreachable (hitcnt=2) 0x30f100d2
access-list outside_access_in line 1 extended permit icmp any any time-exceeded (hitcnt=526) 0x16e6cb5d

icmp permit host 4.2.2.2 OUTSIDE
icmp deny any OUTSIDE

# sh run object-group id DM_INLINE_ICMP_2
object-group icmp-type DM_INLINE_ICMP_2
icmp-object echo
icmp-object echo-reply
icmp-object traceroute
icmp-object unreachable
icmp-object time-exceeded

policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect rsh
inspect sunrpc
inspect xdmcp
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
inspect sip
class class-default

# ping 4.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 10/12/20 ms

# traceroute 4.2.2.2

Type escape sequence to abort.
Tracing the route to 4.2.2.2

1 * * *
2 * * *
3 * * *
4 * * *
5 * * *
6 * * *
7 b.resolvers.level3.net (4.2.2.2) 20 msec * 0 msec

Marvin Rhoads · ‎02-10-2015

Where are you running the traceroute command from? If from the ASA itself, it appears that there might be an upstream ASA not setup like yours.

Other than that, your config looks correct. You might add the bits:

asa(config)# policy-map global_policy
asa(config-pmap)# class class-default
asa(config-pmap-c)# set connection decrement-ttl

...in order to appear as the first hop for clients on the inside of your ASA going out.

View solution in original post

Marvin Rhoads · ‎02-10-2015

Where are you running the traceroute command from? If from the ASA itself, it appears that there might be an upstream ASA not setup like yours.

Other than that, your config looks correct. You might add the bits:

asa(config)# policy-map global_policy
asa(config-pmap)# class class-default
asa(config-pmap-c)# set connection decrement-ttl

...in order to appear as the first hop for clients on the inside of your ASA going out.

Tupe_kunal · ‎02-11-2015

Hi Marvin,

Thank you for the reply.

I am trying to traceroute 4.2.2.2 from the ASA itself.

This is a Edge device where the Internet WAN link is terminated.

Will running this command #set connection decrement-ttl on the production ASA cause kind of outage.

Regards,

Kunal Tupe

Marvin Rhoads · ‎02-11-2015

Kunal,

The settings you have made as described above all affect a traceroute THROUGH the ASA. You problem is with traceroute FROM the ASA and thus lies in your upstream firewall.

The one additional command I suggested only serves to add the ASA itself as a visible hop from traceroute originated behind your firewall and traversing it outbound. IT will not cause an outage but will also not fix the original problem you asked about.

Tupe_kunal · ‎02-12-2015

Hi Marvin.

Thanks a ton for your help.

It worked for me.

I removed and reconfigured the acl and policy map with "set connection decrement-ttl" as instructed.

Cheers !!!

Regards,

Kunal Tupe