cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4821
Views
0
Helpful
4
Replies

Hops not showing in Traceroute after ASA

Matt
Level 1
Level 1

I'm trying to traceroute through an ASA and none of the hops after the ASA appear. I'm assuming the ASA is blocking the time exceeded responses but can't seem to fix this behavior. The ACL is simple: source any, destination any, service any ip.

 

A similar question was asked in https://supportforums.cisco.com/t5/firewalling/asa-not-allowing-traceroute/td-p/1783343 but the answer's link is now a 404

1 Accepted Solution

Accepted Solutions

Hi,

Do you have something like this defined on the ASA?


access-list OUTSIDE_IN extended permit icmp any any time-exceeded
access-list OUTSIDE_IN extended permit icmp any any unreachable

View solution in original post

4 Replies 4

Hi,

Do you have something like this defined on the ASA?


access-list OUTSIDE_IN extended permit icmp any any time-exceeded
access-list OUTSIDE_IN extended permit icmp any any unreachable

No inbound ACL, but wouldn't that be covered by the stateful nature of "access-list INSIDE-OUTSIDE extended permit ip any any" ?

This post explains all. First paragraph states, inspecting icmp does not result in traceroute working through ASA.

 

HTH

Creating those ACLs was actually the solution. I verified that ICMP inspection in the service policy is still occurring but for some reason I have to set an inbound rule to allow time-exceeded and unreachables...

Review Cisco Networking for a $25 gift card