Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
744
Views
0
Helpful
9
Replies

How to enable full traceroute in ASA?

getaway51
Level 2
Level 2

‎09-24-2018 07:13 PM - edited ‎02-21-2020 08:16 AM

How to enable traceroute traffic flow for all directions & interfaces in ASA Version 9.1(7) ? 

 

The reason was traceroute frm PC meet with *** time-out when it reaches firewall.

Labels:
0 Helpful
9 Replies 9

johnlloyd_13
Level 9
Level 9

‎09-24-2018 09:14 PM - edited ‎09-24-2018 09:15 PM

hi,

allow ICMP unreachable and time-exceeded on your 'outside' ACL.

sample would be:

access-list OUTSIDE_IN extended permit icmp any any unreachable
access-list OUTSIDE_IN extended permit icmp any any time-exceeded

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to johnlloyd_13

‎09-25-2018 06:28 AM

..and make sure you "inspect icmp" in your class-map that's referenced in your active policy-map.

 

https://packetu.com/2009/10/09/traceroute-through-the-asa/

 

 

0 Helpful

getaway51
Level 2
Level 2
In response to Marvin Rhoads

‎09-28-2018 01:53 AM

You meant the cmd below still not sufficient to allow traceroute? wht others needed?

//create an ACL that permits the incoming ICMP
access-list outside_access_in remark ICMP type 11 for Windows Traceroute
access-list outside_access_in extended permit icmp any any time-exceeded
access-list outside_access_in remark ICMP type 3 for Cisco and Linux
access-list outside_access_in extended permit icmp any any unreachable

//bind the ACL to the outside interface
access-group outside_access_in in interface outside
0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to getaway51

‎09-28-2018 02:00 AM

Your class map needs to include icmp inspection.

 

If there's any access-list applied to the inside interface it must also allow icmp.

0 Helpful

getaway51
Level 2
Level 2
In response to Marvin Rhoads

‎09-28-2018 02:29 AM

is there any examples of config i can refer to? 

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to getaway51

‎09-28-2018 02:31 AM

Yes - please see the link I provided in my reply date 9-25-2018.

0 Helpful

getaway51
Level 2
Level 2
In response to Marvin Rhoads

‎09-28-2018 04:52 AM

"Your class map needs to include icmp inspection". I am not sure how to check in the present config what it meant by "class map" here. I have read thru the blog but not sure abt the icmp inspection except from the access list config.

How class map config enabled for traceroute? How does it normally configured? Any example/sample config for be great.

0 Helpful

Rob Ingram
VIP
VIP
In response to getaway51

‎09-28-2018 05:35 AM

ASA(config)# fixup protocol icmp
 OR
ASA(config)# policy-map global_policy
ASA(config-pmap)# class default-inspection-class
ASA(config-pmap-c)# inspect icmp

 

0 Helpful

mkazam001
Level 3
Level 3

‎11-03-2018 05:15 PM

policy-map global_policy
 class inspection_default
  inspect icmp

 

policy-map global_policy
 class class-default
  set connection decrement-ttl
access-list OUTSIDE-IN extended permit icmp any any time-exceeded
access-list OUTSIDE-IN extended permit icmp any any unreachable
access-group OUTSIDE-IN in interface OUTSIDE

 

hope that helps.

azam

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card