Re: PING work TRACEROUTE NOT !!!!! on ASA

motasemkhater · ‎09-18-2008

I have ASA 5505.... from my LAN i can ping internet devices but i cant Traceroute it !!

I tried everything i found in cisco:

1- ACL: i allowed all kind ICMP , IP, UDP , TCP in Inside and outside

2- ICMP Inspect

3-set connection decrement-ttl

my lan device is UNIX

and i can do traceroute from the ASA

and attached my SHOW RUN

suschoud · ‎09-18-2008

add :

inspect icmp error

Regards,

Sushil

suschoud · ‎09-18-2008

Oops....you have unix server on inside..hmmm.UNIX uses udp for traceroute.

could you please take syslogs at the debugging level....they would tell you exactly what is being blocked.

Regards,

Sushil

singhsaju · ‎09-18-2008

Hello,

Can you remove access-list bound to inside interface and then try.

no access-group inside_access_in in interface inside

motasemkhater · ‎09-18-2008

I tried everything you said,,, but its the same here is my show run

motasemkhater · ‎09-19-2008

Hi every one i tried what u asked .

i tried traceroutr -n -I 4.2.2.2 and i get this

root@vashouse03:~# traceroute -n -I 4.2.2.2

traceroute to 4.2.2.2 (4.2.2.2), 30 hops max, 40 byte packets

1 * * *

2 * * *

3 * * *

4 * * *

5 * * *

6 * * *

7 * * *

8 4.2.2.2 195.437 ms 207.442 ms 212.364 ms

i added inspect icmp error

and tried and same...

the i removed the ACL from inside interface , and i get nothing ...

any idea please..

motasemkhater · ‎09-19-2008

Dear Suschoud

i dont understand (syslogs at the debugging level.)

you mean on my ASA make Debug ICMP TRACE ??

if yes what level you want.

or from my server?

if you mean from ASA command i used it and do traceroute 4.2.2.2 from my server , and i get nothing on my ASA!!!

if i use traceroute -n -I 4.2.2.2 i get the attached output

suschoud · ‎09-19-2008

Taking syslogs :

Access asa via telnet/ssh

conf t

logg mon 7

logg on

term mon

Syslogs would start generating on screen.

capture the screen output in a text file.

To stop syslogs :

term no mon

Regards,

Sushil

motasemkhater · ‎09-19-2008

i enable the logg as you said then go to my linux server and do traceroute 4.2.2.2

attached is the output

cisco24x7 · ‎09-19-2008

Suschoud,

The user uses the "-I" option. In linux, it

uses icmp for traceroute instead of random

UDP high-ports.

motasemkhater · ‎09-20-2008

where are you CISCO SECURITY SPECIALEST.. Any help pleaseeee

Marwan ALshawi · ‎09-20-2008

hi there

have a look at the following link

Handling ICMP Pings and Traceroute:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml

if helpful Rate

motasemkhater · ‎09-20-2008

I found it ....

ASA OS 7.2 have BUG..it cant decrement TTL so traceroute will not work, unless you upgrade to OS 8.3

BUG ID : CSCsk 76401

I guess iam the CISCO Specilaist ;)

CSCO12302959 · ‎07-13-2018

Even if ICPM can be inspected and you can ping to the internet but when you do a trace to the same IP as you ping the firewall will block the returning traffic, I had the same problem until I allow icmp from any to the internal IPs as traffic hit the outside interface then everything worked.