Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4108
Views
0
Helpful
16
Replies

How do I get traceroutes to work through ASA?

Andy White
Level 3
Level 3

‎10-22-2013 12:30 AM - edited ‎03-11-2019 07:54 PM

Hello,

We have a number of networks that go though our ASA, but we have never been able to run a traceroute even though we have ICMP any any running on each inerface.  When we try a tracert from a Windows PC to a remote destination like google it works, but if we try a trace through one of the subinterfaces off the ASA (DMZ) it doesn't work.

For example I try and trace a router on our WAN and it goes to our LAN switch which then forwards to the ASA and then it his a wall:

C:\Users\me>tracert 172.30.2.1 (remote WAN router)

Tracing route to 172.30.2.1 over a maximum of 30 hop

  1    <1 ms    <1 ms    <1 ms  192.168.90.254 (my gateway, whichis our core LAN switch)

  2     *             *        *     Request timed out.

I've never been able to solve this, any ideas?

Thanks

Labels:
0 Helpful
16 Replies 16

Andy White
Level 3
Level 3
In response to Jouni Forss

‎10-22-2013 07:42 AM

I read that using icmp fixup and icmp fixup error has worked, is this included under the default icmp inspect as I can't find this?

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to Andy White

‎10-22-2013 07:53 AM

Hi,

The below configuration commands

fixup protocol icmp

fixup protocol icmp error

are the old command format which is still supported but in newer software they will be converted to

inspect icmp

inspect icmp error

which were already in your configuration

- Jouni

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card