06-15-2019 11:05 AM - edited 06-15-2019 11:06 AM
Hello all,
I'm trying to perform a traceroute from a host behind ASA 5505, but i cannot see any path:
C:\Users\Stef>tracert -d www.google.com
Tracing route to www.google.com [216.58.207.36]
over a maximum of 30 hops:
1 * * * Request timed out.
2 * * * Request timed out.
3 * * * Request timed out.
4 * * * Request timed out.
5 * * * Request timed out.
6 * * * Request timed out.
7 * * * Request timed out.
8 * * * Request timed out.
9 * * * Request timed out.
10 52 ms 52 ms 53 ms 216.58.207.36
I have uploaded also the configuration file. What is the missing command used to traceroute successfully?
Thanks in advance,
Stef
Solved! Go to Solution.
06-15-2019 11:15 AM
Hi,
To traceroute through the ASA you need to permit icmp time-exceeded and unreachable inbound on the outside interface. E.g:-
access-list OUTSIDE_IN extended permit icmp any any time-exceeded
access-list OUTSIDE_IN extended permit icmp any any unreachable
access-group OUTSIDE_IN in interface OUTSIDE
By default the ASAs IP address would not appear as a hop in the traceroute, to enable this you can also decrement the ttl. E.g:-
policy-map global_policy
class class-default
set connection decrement-ttl
Further examples here and here.
HTH
06-15-2019 11:15 AM
Hi,
To traceroute through the ASA you need to permit icmp time-exceeded and unreachable inbound on the outside interface. E.g:-
access-list OUTSIDE_IN extended permit icmp any any time-exceeded
access-list OUTSIDE_IN extended permit icmp any any unreachable
access-group OUTSIDE_IN in interface OUTSIDE
By default the ASAs IP address would not appear as a hop in the traceroute, to enable this you can also decrement the ttl. E.g:-
policy-map global_policy
class class-default
set connection decrement-ttl
Further examples here and here.
HTH
06-15-2019 12:00 PM
Thanks RJI! Now i can see traceroute is working as expected!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide