Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
852
Views
0
Helpful
2
Replies

Traceroute through ASA 5500 7.2(2)

brucegreed
Level 1
Level 1

‎08-07-2009 01:22 PM - edited ‎03-11-2019 09:04 AM

No matter what I do I can't make outbound traceroute through my ASA 5500 work. I've followed Cisco's recommendations and those from fellow posters here for similarly reported problems, but still no luck. What I see is a request time out at each hop except the final destination. I have the following set:

Policy:

policy-map global_policy

class inspection_default

inspect icmp

inspect icmp error

ACL on outside (public) interface:

access-list acl-public extended permit icmp any any echo-reply

access-list acl-public extended permit icmp any any echo

access-list acl-public extended permit icmp any any time-exceeded

access-list acl-public extended permit icmp any any source-quench

access-list acl-public extended permit icmp any any unreachable

Interestingly enough I can traceroute directly on the ASA to remote sites with no issue, but it fails from all hosts behind both the inside and DMZ interfaces.

I manage two other ASA/PIXs and have no issues with traceroute on those networks, but they are both running 8.0 and not 7.2 (not that this should matter.)

Any insight or diagnostic tricks to help determine what might be happening? Thanks!

Labels:
0 Helpful
2 Replies 2

Kevin Redmon
Cisco Employee
Cisco Employee

‎08-07-2009 07:51 PM

One of the best tools to use when diagnosing situations like this are packet captures and syslogs. Looking at your configuration above, the only thing that you should really need from an access-list standpoint is 'time-exceeded'. The 'inspect icmp' and 'inspect icmp error' commands should cover the rest.

For the packet captures, you can do the following in 7.2:

access-list TAC extended permit icmp any any

capture capin int inside packet-l 1522 buffer 512000 access-list TAC

capture capout int public packet-l 1522 buffer 512000 access-list TAC

By doing a 'show capture capout', you will be able to see all of the packets that are sent from the ASA's outside interface and what is received. If you download these capture files from the ASA (the easiest way is often 'http:///capture//pcap'), you can open this file in Wireshark/Ethereal, you can read all of the details of the flow(s).

I didn't find any bugs that are related to this issue but there have been a number of bugs resolved since 7.2(2).

0 Helpful

brucegreed
Level 1
Level 1
In response to Kevin Redmon

‎08-12-2009 09:18 AM

Must have been a bug in 7.2(2). I updated to 7.2(4) and it fixed it. Thanks.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card