Showing results for 
Search instead for 
Did you mean: 

Traceroute through ASA v 7.2


I'm able to ping (From a windows machine) anything through the ASA but when trying to trace, I get "request time out" all the way until it actually hits the address. What commands are required to get all the hops to show up in a trace??

13 Replies 13

Rising star
Rising star

You need permit following ICMPs

access-list 101 permit icmp any any unreachable

access-list 101 permit icmp any any time-exceeded

access-list 101 permit icmp any any echo-reply


If I create that ACL, where is it applied.

It should be inside interface of ASA... Do you have ACL aplied here?? If yes you should add those lines to this ACL


I'm already permitting "icmp any" from the inside out. Do these have to be permitted individualy?

The access-list with the echo-reply should be on your Outside Interface.

Since you ping from inside to outside.

So it is the Outside host which replies to the echo...

If you have timed out AFTER the packet goes through ASA, it could be normal since not all routers on Internet reply to ping...

Best regards,


JMS112080 -

Did you get this issued resolved? I'm experiencing the same thing. Trace route was working fine until last week, then I starting seeing the same thing you did. What was your resolution?

Not yet...Still seeing the same issue.

Hi. Is there a resolution for this issue ? I have just encountered the same.



The following ACLs should be applied:

On the inside ACL:

permit icmp any

On the outside ACL:

permit icmp any time-exceeded

permit icmp any unreachable

permit icmp any echo-reply

The trick is to use for the outside ACL the natted IP/subnet for your LAN.

If this doesn't work add on the outside ACL:

permit icmp any traceroute

You might want to try with ip any any on yhe inside ACL (the one facing the LAN) to identify where is the filtering incorrect.

In the future, when you need to troubleshoot, the "capture" command is priceless to see trffic hitting interfaces.

Please rate if this helped.




You need to do the following two items for Windows Tracert to work properly.


access-list (inside) extended permit icmp any any echo

access-list (outside) extended permit icmp any any echo-reply

access-list (outside) extended permit icmp any any time-exceeded

UNIX/Linux Traceroute to work properly.


I would say permit the same as above except add permit UDP 33433 and up.

Yes it works. Thanks.

Im having the same issue, however I would only like to allow ICMP 11 back into the asa