Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3770
Views
15
Helpful
4
Replies

Traceroute through ASA?

Go to solution
CiscoBrownBelt
Level 6
Level 6

‎10-11-2019 07:38 AM - edited ‎02-21-2020 09:34 AM

If traceroute is done lets say some far away host out in the WAN, the trace will stop showing anything once it hits a FW that is blocking it correct? Meaning, It won't just show the * but then show all IPs of the hops after it that aren't FWs?

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎10-11-2019 07:53 AM - edited ‎10-11-2019 08:56 AM

Hi,

If you traceroute through the ASA, as default the ASA will not appear as a hop (unless you specify to decrement-ttl). In order for every hop on the outside of the ASA to be displayed you'd specifically need to permit that traffic. To permit traceroute traffic you'd modify your inbound ACL on the outside interface to permit time-exceeded and unreachable (it depends on which OS the traceroute was sent as to which is required).

 

HTH

View solution in original post

Go to solution
Marius Gunnerud
VIP
VIP
In response to CiscoBrownBelt

‎10-11-2019 01:05 PM

No,

You need to allow ICMP but set connection decrement-ttl is only if you want the ASA to be seen in the traceroute path.  If you want the ASA to remain invisible do not implement this.  It is not good practice to implement it and should only be done if you have a specific need to do so.

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

4 Replies 4

Go to solution
Rob Ingram
VIP
VIP

‎10-11-2019 07:53 AM - edited ‎10-11-2019 08:56 AM

Hi,

If you traceroute through the ASA, as default the ASA will not appear as a hop (unless you specify to decrement-ttl). In order for every hop on the outside of the ASA to be displayed you'd specifically need to permit that traffic. To permit traceroute traffic you'd modify your inbound ACL on the outside interface to permit time-exceeded and unreachable (it depends on which OS the traceroute was sent as to which is required).

 

HTH

Go to solution
CiscoBrownBelt
Level 6
Level 6
In response to Rob Ingram

‎10-11-2019 12:57 PM

Ok so I should allow ICMP as well as class class-default

set connection decrement-ttl?
0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to CiscoBrownBelt

‎10-11-2019 01:05 PM

No,

You need to allow ICMP but set connection decrement-ttl is only if you want the ASA to be seen in the traceroute path.  If you want the ASA to remain invisible do not implement this.  It is not good practice to implement it and should only be done if you have a specific need to do so.

--
Please remember to select a correct answer and rate helpful posts

Go to solution
Marius Gunnerud
VIP
VIP

‎10-11-2019 12:32 PM

To allow trace route through the firewall you need to implement the following commands:

policy-map global_policy

  class inspection_default

  inspect icmp

  inspect icmp error

 

access-list outside_access_in extended permit icmp any any unreachable
access-list outside_access_in extended permit icmp any any time-exceeded

 

As @Rob Ingram has already mentioned, if you want the ASA to be seen as a hop along the traceroute path you need to configure the ASA to decrement the TTL counter.

 

policy-map global_policy

  class class-default

    set connection decrement-ttl

 

--
Please remember to select a correct answer and rate helpful posts
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card