03-26-2018 10:49 AM - edited 02-21-2020 07:33 AM
I'm trying to traceroute through an ASA and none of the hops after the ASA appear. I'm assuming the ASA is blocking the time exceeded responses but can't seem to fix this behavior. The ACL is simple: source any, destination any, service any ip.
A similar question was asked in https://supportforums.cisco.com/t5/firewalling/asa-not-allowing-traceroute/td-p/1783343 but the answer's link is now a 404
Solved! Go to Solution.
03-26-2018 11:02 AM
Hi,
Do you have something like this defined on the ASA?
access-list OUTSIDE_IN extended permit icmp any any time-exceeded
access-list OUTSIDE_IN extended permit icmp any any unreachable
03-26-2018 11:02 AM
Hi,
Do you have something like this defined on the ASA?
access-list OUTSIDE_IN extended permit icmp any any time-exceeded
access-list OUTSIDE_IN extended permit icmp any any unreachable
03-26-2018 11:12 AM
03-26-2018 11:21 AM - edited 03-26-2018 11:22 AM
This post explains all. First paragraph states, inspecting icmp does not result in traceroute working through ASA.
HTH
03-26-2018 03:41 PM - edited 03-26-2018 03:42 PM
Creating those ACLs was actually the solution. I verified that ICMP inspection in the service policy is still occurring but for some reason I have to set an inbound rule to allow time-exceeded and unreachables...
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide