Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
549
Views
0
Helpful
7
Replies

traceroute result "time out" passing through ASA to outside (public)

CiscoJane
Level 1
Level 1

‎08-21-2023 09:44 PM

Hello all,

I have an issue regarding traceroute result "time out" passing through ASA to outside (public). I have two public ip addresses at ASA, one is assigned at outside interface which translate (NAT) for some networks (192.x.x.x/24). Another one (public ip) is not assigned at any interface but it works NAT for a network (172.x.x.x/24). 

When i traceroute to public (eg: 8.8.8.8) from 192.x.x.x network, it is fine and no time out and complete trace. When i traceroute to public (eg: 8.8.8.8) from 172.x.x.x network, it got many time outs and also complete traceroute.

Thanks for any response.

0 Helpful
7 Replies 7

marce1000
VIP
VIP

‎08-21-2023 11:47 PM

 

            - FYI : https://advanxer.com/2015/04/allowing-tracert-in-cisco-asa-firewall/

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
0 Helpful

CiscoJane
Level 1
Level 1
In response to marce1000

‎08-22-2023 12:59 AM

I have tried with these, it does not work. thanks.

0 Helpful

marce1000
VIP
VIP
In response to CiscoJane

‎08-22-2023 01:46 AM

 

             >...I have tried with these, it does not work. thanks.
 - Then it could be a bug , try recent advisory software version for  your ASA (if applicable)

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame

‎08-22-2023 12:30 AM

Do you have -inspect icmp error

is the Public IP different IP range configured on the Outside interface ?

can you post example traceroute output here ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

CiscoJane
Level 1
Level 1
In response to balaji.bandi

‎08-22-2023 12:58 AM

Two public ip addresses are the same range, one is assigned at Outside interface and another one is just for NAT ip. Below is screenshot for traceroute.

soesoemyat_0-1692691074465.png

 

0 Helpful

CiscoJane
Level 1
Level 1
In response to balaji.bandi

‎08-22-2023 01:00 AM

i have no inspect icmp error

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to CiscoJane

‎08-22-2023 02:23 AM

May be try adding that command and also TTL expiry config.

Why there are many 172.X Hops  before reaching NAT IP(public)?

Can you post the sucess one ? 192.X ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card