Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
968
Views
15
Helpful
13
Replies

Traceroute through ASA v 7.2

jms112080
Beginner
Beginner

‎01-10-2007 07:10 AM - edited ‎03-11-2019 02:17 AM

I'm able to ping (From a windows machine) anything through the ASA but when trying to trace, I get "request time out" all the way until it actually hits the address. What commands are required to get all the hops to show up in a trace??

Labels:
0 Helpful
13 Replies 13

m.sir
Rising star
Rising star

‎01-10-2007 07:14 AM

You need permit following ICMPs

access-list 101 permit icmp any any unreachable

access-list 101 permit icmp any any time-exceeded

access-list 101 permit icmp any any echo-reply

M.

jms112080
Beginner
Beginner
In response to m.sir

‎01-10-2007 11:34 AM

If I create that ACL, where is it applied.

0 Helpful

m.sir
Rising star
Rising star
In response to jms112080

‎01-10-2007 12:16 PM

It should be inside interface of ASA... Do you have ACL aplied here?? If yes you should add those lines to this ACL

M.

0 Helpful

jms112080
Beginner
Beginner
In response to m.sir

‎01-10-2007 02:06 PM

I'm already permitting "icmp any" from the inside out. Do these have to be permitted individualy?

0 Helpful

huynhkhay
Beginner
Beginner
In response to jms112080

‎01-10-2007 03:18 PM

The access-list with the echo-reply should be on your Outside Interface.

Since you ping from inside to outside.

So it is the Outside host which replies to the echo...

If you have timed out AFTER the packet goes through ASA, it could be normal since not all routers on Internet reply to ping...

Best regards,

KH

0 Helpful

allbell
Beginner
Beginner
In response to jms112080

‎01-19-2007 09:16 AM

JMS112080 -

Did you get this issued resolved? I'm experiencing the same thing. Trace route was working fine until last week, then I starting seeing the same thing you did. What was your resolution?

0 Helpful

jms112080
Beginner
Beginner
In response to allbell

‎01-19-2007 12:41 PM

Not yet...Still seeing the same issue.

0 Helpful

adventurer
Beginner
Beginner
In response to jms112080

‎01-31-2007 11:57 PM

Hi. Is there a resolution for this issue ? I have just encountered the same.

Regards.

0 Helpful

5220
Enthusiast
Enthusiast
In response to adventurer

‎02-01-2007 12:41 AM

Hi,

The following ACLs should be applied:

On the inside ACL:

permit icmp any

On the outside ACL:

permit icmp any time-exceeded

permit icmp any unreachable

permit icmp any echo-reply

The trick is to use for the outside ACL the natted IP/subnet for your LAN.

If this doesn't work add on the outside ACL:

permit icmp any traceroute

You might want to try with ip any any on yhe inside ACL (the one facing the LAN) to identify where is the filtering incorrect.

In the future, when you need to troubleshoot, the "capture" command is priceless to see trffic hitting interfaces.

Please rate if this helped.

Regards,

Daniel

0 Helpful

autobot130
Beginner
Beginner

‎02-01-2007 12:51 AM

You need to do the following two items for Windows Tracert to work properly.

--------------------------------------------

access-list (inside) extended permit icmp any any echo

access-list (outside) extended permit icmp any any echo-reply

access-list (outside) extended permit icmp any any time-exceeded

UNIX/Linux Traceroute to work properly.

---------------------------------------------

I would say permit the same as above except add permit UDP 33433 and up.

adventurer
Beginner
Beginner
In response to autobot130

‎02-01-2007 09:48 PM

Yes it works. Thanks.

0 Helpful

gbudesheim
Beginner
Beginner
In response to adventurer

‎12-26-2013 01:36 PM

Im having the same issue, however I would only like to allow ICMP 11 back into the asa

0 Helpful