Solved: Re: Hops not showing in Traceroute after ASA

Matt · ‎03-26-2018

I'm trying to traceroute through an ASA and none of the hops after the ASA appear. I'm assuming the ASA is blocking the time exceeded responses but can't seem to fix this behavior. The ACL is simple: source any, destination any, service any ip.

A similar question was asked in https://supportforums.cisco.com/t5/firewalling/asa-not-allowing-traceroute/td-p/1783343 but the answer's link is now a 404

Rob Ingram · ‎03-26-2018

Hi,

Do you have something like this defined on the ASA?

access-list OUTSIDE_IN extended permit icmp any any time-exceeded
access-list OUTSIDE_IN extended permit icmp any any unreachable

View solution in original post

Rob Ingram · ‎03-26-2018

Hi,

Do you have something like this defined on the ASA?

access-list OUTSIDE_IN extended permit icmp any any time-exceeded
access-list OUTSIDE_IN extended permit icmp any any unreachable

Matt · ‎03-26-2018

No inbound ACL, but wouldn't that be covered by the stateful nature of "access-list INSIDE-OUTSIDE extended permit ip any any" ?

Rob Ingram · ‎03-26-2018

This post explains all. First paragraph states, inspecting icmp does not result in traceroute working through ASA.

HTH

Matt · ‎03-26-2018

Creating those ACLs was actually the solution. I verified that ICMP inspection in the service policy is still occurring but for some reason I have to set an inbound rule to allow time-exceeded and unreachables...