PING work TRACEROUTE NOT !!!!! on ASA

Unanswered Question
Sep 18th, 2008

I have ASA 5505.... from my LAN i can ping internet devices but i cant Traceroute it !!

I tried everything i found in cisco:

1- ACL: i allowed all kind ICMP , IP, UDP , TCP in Inside and outside

2- ICMP Inspect

3-set connection decrement-ttl

my lan device is UNIX

and i can do traceroute from the ASA

and attached my SHOW RUN

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
suschoud Thu, 09/18/2008 - 11:00

Oops....you have unix server on inside..hmmm.UNIX uses udp for traceroute.

could you please take syslogs at the debugging level....they would tell you exactly what is being blocked.

Regards,

Sushil

singhsaju Thu, 09/18/2008 - 11:17

Hello,

Can you remove access-list bound to inside interface and then try.

no access-group inside_access_in in interface inside

motasemkhater Fri, 09/19/2008 - 06:20

Hi every one i tried what u asked .

i tried traceroutr -n -I 4.2.2.2 and i get this

[email protected]:~# traceroute -n -I 4.2.2.2

traceroute to 4.2.2.2 (4.2.2.2), 30 hops max, 40 byte packets

1 * * *

2 * * *

3 * * *

4 * * *

5 * * *

6 * * *

7 * * *

8 4.2.2.2 195.437 ms 207.442 ms 212.364 ms

i added inspect icmp error

and tried and same...

the i removed the ACL from inside interface , and i get nothing ...

any idea please..

motasemkhater Fri, 09/19/2008 - 06:36

Dear Suschoud

i dont understand (syslogs at the debugging level.)

you mean on my ASA make Debug ICMP TRACE ??

if yes what level you want.

or from my server?

if you mean from ASA command i used it and do traceroute 4.2.2.2 from my server , and i get nothing on my ASA!!!

if i use traceroute -n -I 4.2.2.2 i get the attached output

suschoud Fri, 09/19/2008 - 06:40

Taking syslogs :

Access asa via telnet/ssh

conf t

logg mon 7

logg on

term mon

Syslogs would start generating on screen.

capture the screen output in a text file.

To stop syslogs :

term no mon

Regards,

Sushil

cisco24x7 Fri, 09/19/2008 - 09:21

Suschoud,

The user uses the "-I" option. In linux, it

uses icmp for traceroute instead of random

UDP high-ports.

motasemkhater Sat, 09/20/2008 - 23:05

I found it ....

ASA OS 7.2 have BUG..it cant decrement TTL so traceroute will not work, unless you upgrade to OS 8.3

BUG ID : CSCsk 76401

I guess iam the CISCO Specilaist ;)

Actions

This Discussion