cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

2582
Views
0
Helpful
4
Replies
Highlighted
Beginner

Hops not showing in Traceroute after ASA

I'm trying to traceroute through an ASA and none of the hops after the ASA appear. I'm assuming the ASA is blocking the time exceeded responses but can't seem to fix this behavior. The ACL is simple: source any, destination any, service any ip.

 

A similar question was asked in https://supportforums.cisco.com/t5/firewalling/asa-not-allowing-traceroute/td-p/1783343 but the answer's link is now a 404

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
VIP Mentor

Hi,

Do you have something like this defined on the ASA?


access-list OUTSIDE_IN extended permit icmp any any time-exceeded
access-list OUTSIDE_IN extended permit icmp any any unreachable

View solution in original post

4 REPLIES 4
Highlighted
VIP Mentor

Hi,

Do you have something like this defined on the ASA?


access-list OUTSIDE_IN extended permit icmp any any time-exceeded
access-list OUTSIDE_IN extended permit icmp any any unreachable

View solution in original post

Highlighted

No inbound ACL, but wouldn't that be covered by the stateful nature of "access-list INSIDE-OUTSIDE extended permit ip any any" ?
Highlighted

This post explains all. First paragraph states, inspecting icmp does not result in traceroute working through ASA.

 

HTH

Highlighted

Creating those ACLs was actually the solution. I verified that ICMP inspection in the service policy is still occurring but for some reason I have to set an inbound rule to allow time-exceeded and unreachables...

Content for Community-Ad