PING work TRACEROUTE NOT !!!!! on ASA

motasemkhater · ‎09-18-2008

I have ASA 5505 from my LAN i can ping internet devices but i cant Traceroute !!

I tried everything i found in cisco:

1- ACL: i allowed all kind ICMP , IP, UDP , TCP in Inside and outside

2- ICMP Inspect

3-set connection decrement-ttl

my lan device is UNIX

and attached my SHOW RUN

singhsaju · ‎09-18-2008

Hello,

Can you remove access-list bound to inside interface and then try.

no access-group inside_access_in in interface inside

Also check following link :

HTH

Saju

Pls rate helpful posts

cisco24x7 · ‎09-18-2008

You need to understand a couple of things:

1- Windows machine uses icmp for traceroute by

default,

2- Unix/Linux machine uses udp high-ports for

traceroute by default,

Why don't you use the "-I" option in traceroute

for linux for icmp instead of udp-high ports?

gen2linux ~ # traceroute -n -I 4.2.2.2

traceroute to 4.2.2.2 (4.2.2.2), 30 hops max, 40 byte packets

1 129.174.155.250 0.309 ms 0.206 ms 0.195 ms

2 129.174.4.129 3.193 ms 2.826 ms 0.998 ms

3 129.174.9.1 159.005 ms 148.492 ms 152.521 ms

4 129.174.251.82 154.987 ms 111.564 ms 144.132 ms

5 129.174.250.27 147.177 ms 143.264 ms 144.186 ms

6 129.174.1.210 34.151 ms 25.372 ms 36.665 ms

7 74.125.192.225 148.354 ms 159.467 ms 189.548 ms

8 64.94.0.79 176.558 ms 156.185 ms 131.922 ms

9 129.250.12.37 37.069 ms 40.620 ms 32.535 ms

10 129.250.3.18 56.812 ms 48.983 ms 50.089 ms

11 129.250.2.169 53.516 ms 50.631 ms 48.474 ms

12 4.68.63.185 132.935 ms 154.625 ms 145.812 ms

13 4.68.17.62 155.658 ms 160.607 ms 158.843 ms

14 4.68.121.13 182.012 ms 195.269 ms 182.375 ms

15 4.2.2.2 167.026 ms 138.771 ms 158.681 ms

gen2linux ~ #

motasemkhater · ‎09-18-2008

i tried traceroute -n -I 4.2.2.2 and its the same,... ****

i add inspcet icmp error and same traceroute doesnot work

i also remove the ACL on inside interface and nothing happen

its driving me crazy!!!

motasemkhater · ‎09-18-2008

and here the new sh run