Hi Varun,

Thanks for quick response.

I am having all the necessary access on the firewall. but still i am unable to see.

Please suggest.

Regards.

Abhijit Kasarekar

Hi Abhijit,

If you have already enabled the traceroute on ASA, then I would suggest  you also take logs on the firewall to chcek where the packets are being denied for tracert. Also could you paste the config that you have added for allowing traceroute.

Thanks,

Varun

Hi Varun,

Please find below configuration.

access-list inside extended permit icmp any any echo

access-list inside extended permit icmp any any echo-reply

access-list inside extended permit icmp any any time-exceeded

access-list inside extended permit icmp any any unreachable

access-list outside extended permit icmp any any echo

access-list outside extended permit icmp any any echo-reply

access-list outside extended permit icmp any any time-exceeded

access-list outside extended permit icmp any any unreachable

icmp unreachable rate-limit 1 burst-size 1

icmp permit any echo outside

icmp permit any echo-reply outside

icmp permit any inside

icmp permit any echo inside

icmp permit any echo-reply inside

access-group inside in interface inside

access-group outside in interface outside

Thanks,

Abhijit Kasarekar

Hi Abhijit,

Please find the configuration below:

ciscoasa(config)#class-map class-default
ciscoasa(config)#match any


!--- This class-map exists by default.


ciscoasa(config)#policy-map global_policy


!--- This Policy-map exists by default.


ciscoasa(config-pmap)#class class-default


!--- Add another class-map to this policy.


ciscoasa(config-pmap-c)#set connection decrement-ttl


!--- Decrement the IP TTL field for packets traversing the firewall.
!--- By default, the TTL is not decrement hiding (somewhat) the firewall.


ciscoasa(config-pmap-c)#exit
ciscoasa(config-pmap)#exit
ciscoasa(config)#service-policy global_policy global


!--- This service-policy exists by default.

WARNING: Policy map global_policy is already configured as a service policy

ciscoasa(config)#icmp unreachable rate-limit 10 burst-size 5


!--- Adjust ICMP unreachable replies:
!--- The default is rate-limit 1 burst-size 1.
!--- The default will result in timeouts for the ASA hop:


ciscoasa(config)#access-list outside-in-acl remark Allow ICMP Type 11 for Windows tracert
ciscoasa(config)#access-list outside-in-acl extended permit icmp any any time-exceeded


!--- The access-list is for the far end of the ICMP traffic (in this case
!---the outside interface) needs to be modified in order to allow ICMP type 11 replies
!--- time-exceeded):

ciscoasa(config)#access-group outside-in-acl in interface outside

Kindly refer to the doc above fr complete details.

Thanks,

Varun

Hi,

done same settings on both the firewalls but still unable to tracert output.

I would suggest if you could share a bit more information, could you share the configuration?? I wouls like to know, from which interface to which interface is the tracert being done. These details woudl make it a bit easy.

Basically the outputs i need is:

show run class-map

show run policy-map

show run access-group

show run access-list

show service-policy

This hsould be enough, if required i'll ask, also plz check what logs you get, if you are suspecting that the firewall is droping the traceroute.

Thanks,

Varun