Solved: How to perform traceroute operations from the firewall itself

GRANT GATHAGAN · ‎07-10-2025

This is an old question for an old firewall, but I've not found any definitive answer.
I have found PLENTY of answers regarding the allowance of traceroute *through* a firewall.
That is NOT what I'm asking.
I need the firewall itself to perform the traceroute functions.
I've tried the traceroute option in the tools menu of the ASDM, but I get no response.
Within the "Management Access" subsection of the Device Management menu, there's an ICMP item whose purpose is "Specify rules allowing or denying ICMP messages destined for an ASA interface".
I created an entry that permitted ICMP masseages from anywhere to the outside interface.
This had no impact.

In addition, I don't want to screw up the existing access lists, so I want to do the work from the ASDM, not from the command line.

Any cogent thoughts are welcome.

MHM Cisco World · ‎07-10-2025

Did you try command from cli

If traceroute from asa then it not need any change in policy of asa

Check it

MHM

View solution in original post

balaji.bandi · ‎07-10-2025

Within the "Management Access" subsection of the Device Management menu, there's an ICMP item whose purpose is "Specify rules allowing or denying ICMP messages destined for an ASA interface".

Configure ICMP Access Rules

By default, you can send ICMP packets to any interface using either IPv4 or IPv6, with these exceptions:

The ASA does not respond to ICMP echo requests directed to a broadcast address.
The ASA only responds to ICMP traffic sent to the interface that traffic comes in on; you cannot send ICMP traffic through an interface to a far interface.

To protect the device from attacks, you can use ICMP rules to limit ICMP access to interfaces to particular hosts, networks, or ICMP types. ICMP rules function like access rules, where the rules are ordered, and the first rule that matches a packet defines the action.

If you configure any ICMP rule for an interface, an implicit deny ICMP rule is added to the end of the ICMP rule list, changing the default behavior. Thus, if you want to simply deny a few message types, you must include a permit any rule at the end of the ICMP rule list to allow the remaining message types.

We recommend that you always grant permission for the ICMP unreachable message type (type 3). Denying ICMP unreachable messages disables ICMP path MTU discovery, which can halt IPsec and PPTP traffic. Additionally ICMP packets in IPv6 are used in the IPv6 neighbor discovery process.

I created an entry that permitted ICMP masseages from anywhere to the outside interface.

what is not working you not able to ping outside interface ? what is the source, Public IP ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

MHM Cisco World · ‎07-10-2025

Did you try command from cli

If traceroute from asa then it not need any change in policy of asa

Check it

MHM

Marvin Rhoads · ‎07-10-2025

Simple answer: Cisco firewalls (either ASA or FTD) cannot initiate traceroute.

MHM Cisco World · ‎07-10-2025

It can

https://www.cisco.com/c/en/us/td/docs/security/asa/asa-cli-reference/T-Z/asa-command-ref-T-Z/m_tl-tz.html#wp1129698936

And for ftd from lina you use command

MHM

Marvin Rhoads · ‎07-10-2025

Thanks @MHM Cisco World I was mis-remembering.

MHM Cisco World · ‎07-10-2025

You are so welcome friend

MHM

GRANT GATHAGAN · ‎07-10-2025

Aloha all and thank you for your responses.
This was a head-scratcher that became much ado about nothing.
The ADSM has a tool menu that includes ping, traceroute and packet tracer.
I couldn't get ping or traceroute to work.
When I opened an SSH session with the firewall, however, I had no problems running the traceroute command.
So while I'm not sure why the ASDM method didn't work, it wasn't necessary.

Mahalo for your help,
Grant

MHM Cisco World · ‎07-10-2025

You are welcome

MHM