09-24-2018 07:13 PM - edited 02-21-2020 08:16 AM
How to enable traceroute traffic flow for all directions & interfaces in ASA Version 9.1(7) ?
The reason was traceroute frm PC meet with *** time-out when it reaches firewall.
09-24-2018 09:14 PM - edited 09-24-2018 09:15 PM
hi,
allow ICMP unreachable and time-exceeded on your 'outside' ACL.
sample would be:
access-list OUTSIDE_IN extended permit icmp any any unreachable
access-list OUTSIDE_IN extended permit icmp any any time-exceeded
09-25-2018 06:28 AM
..and make sure you "inspect icmp" in your class-map that's referenced in your active policy-map.
https://packetu.com/2009/10/09/traceroute-through-the-asa/
09-28-2018 01:53 AM
09-28-2018 02:00 AM
Your class map needs to include icmp inspection.
If there's any access-list applied to the inside interface it must also allow icmp.
09-28-2018 02:29 AM
is there any examples of config i can refer to?
09-28-2018 02:31 AM
Yes - please see the link I provided in my reply date 9-25-2018.
09-28-2018 04:52 AM
"Your class map needs to include icmp inspection". I am not sure how to check in the present config what it meant by "class map" here. I have read thru the blog but not sure abt the icmp inspection except from the access list config.
How class map config enabled for traceroute? How does it normally configured? Any example/sample config for be great.
09-28-2018 05:35 AM
ASA(config)# fixup protocol icmp
OR
ASA(config)# policy-map global_policy
ASA(config-pmap)# class default-inspection-class
ASA(config-pmap-c)# inspect icmp
11-03-2018 05:15 PM
policy-map global_policy
class inspection_default
inspect icmp
policy-map global_policy
class class-default
set connection decrement-ttl
access-list OUTSIDE-IN extended permit icmp any any time-exceeded
access-list OUTSIDE-IN extended permit icmp any any unreachable
access-group OUTSIDE-IN in interface OUTSIDE
hope that helps.
azam
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide