Showing results for 
Search instead for 
Did you mean: 

traceroute response issues, on ASA5505?


I am having some odd traceroute issues coming from clients behind my ASA5505.

ASA Version: 9.1(1)

ASDM Version: 7.1(1)52

Firewall Mode: Routed

Using ASDM I have modified the Rule Actions on the default service policy, to inspect ICMP.   I have also added the following two rules to the outside interface on the firewall:

permit Source: Any4 to Destination: Any4 for Service: icmp

permit Source: any6 to Destination: Any6 for Service: icmp6

If I then try to perform a traceroute from the ASA itself, the traceroutes comes back correct, such as:


1 0 msec 0 msec 0 msec

2 20 msec 10 msec 20 msec

3 ( 20 msec 10 msec 10 msec

4 ( 30 msec ( 20 msec ( 10 msec

5 ( 20 msec 20 msec 20 msec

6 ( 30 msec 10 msec 60 msec

7 20 msec 20 msec 20 msec

8 20 msec 20 msec 20 msec

9 20 msec 20 msec 20 msec

10 ( 20 msec 10 msec 20 msec

However, if I then try to perform a traceroute from a client behind the NAT side of the firewall, the traceroutes come differently, where I don't actually get to see the IP address of the hops:

Tracing route to [] over a maximum of 30 hops:

  1     1 ms    <1 ms    <1 ms

  2    36 ms    23 ms    23 ms

  3    10 ms    10 ms    10 ms

  4    15 ms    11 ms    22 ms

  5    20 ms    23 ms    22 ms

  6    15 ms    14 ms    29 ms

  7    13 ms    12 ms    14 ms

  8    13 ms    29 ms    12 ms

  9    56 ms    56 ms    60 ms


Any idea what needs to be modified in order to allow me to see the correct traceroute hops from behind my firewall?

3 Replies 3



Take a look at this guide:

you need some commands to allow traceroute on an ASA:


policy-map global_policy

class class-default

set connection decrement-ttl

icmp unreachable rate-limit 10 burst-size 5

And allow icmp time-exceeded on the outside interface



Is this because I am now running ASA 9.1(1)?   I seem to recall the configuration options that I listed in the original post seemed to make traceroute work without issue under ASA 8.4(3).

Also, if I continue to experience this issue, can I downgrade from 9.1(1) back to 8.4(x) without 'breaking' anything in my config?

Hello Robert,

Is it working with the configuration changes that my co-worker Felipe provided you ( as those are the ones need it )?

It is not just because you went to 9.0, I mean there are several changes from previous version to this one but the behavior of the Traceroute mechanism still being the same...

If this is not working yet please add the following command:

fixup protocol icmp-error ( This command will allow the ASA to show the IP addresses involed in the exchange of ICMP error messages, by default the ASA will hide them)


Remember to rate all of the helpful posts

Julio Carvajal
Senior Network Security and Core Specialist
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers