cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7754
Views
0
Helpful
13
Replies

PING work TRACEROUTE NOT !!!!! on ASA

motasemkhater
Level 1
Level 1

I have ASA 5505.... from my LAN i can ping internet devices but i cant Traceroute it !!

I tried everything i found in cisco:

1- ACL: i allowed all kind ICMP , IP, UDP , TCP in Inside and outside

2- ICMP Inspect

3-set connection decrement-ttl

my lan device is UNIX

and i can do traceroute from the ASA

and attached my SHOW RUN

13 Replies 13

suschoud
Cisco Employee
Cisco Employee

add :

inspect icmp error

Regards,

Sushil

suschoud
Cisco Employee
Cisco Employee

Oops....you have unix server on inside..hmmm.UNIX uses udp for traceroute.

could you please take syslogs at the debugging level....they would tell you exactly what is being blocked.

Regards,

Sushil

Hello,

Can you remove access-list bound to inside interface and then try.

no access-group inside_access_in in interface inside

I tried everything you said,,, but its the same here is my show run

Hi every one i tried what u asked .

i tried traceroutr -n -I 4.2.2.2 and i get this

root@vashouse03:~# traceroute -n -I 4.2.2.2

traceroute to 4.2.2.2 (4.2.2.2), 30 hops max, 40 byte packets

1 * * *

2 * * *

3 * * *

4 * * *

5 * * *

6 * * *

7 * * *

8 4.2.2.2 195.437 ms 207.442 ms 212.364 ms

i added inspect icmp error

and tried and same...

the i removed the ACL from inside interface , and i get nothing ...

any idea please..

Dear Suschoud

i dont understand (syslogs at the debugging level.)

you mean on my ASA make Debug ICMP TRACE ??

if yes what level you want.

or from my server?

if you mean from ASA command i used it and do traceroute 4.2.2.2 from my server , and i get nothing on my ASA!!!

if i use traceroute -n -I 4.2.2.2 i get the attached output

Taking syslogs :

Access asa via telnet/ssh

conf t

logg mon 7

logg on

term mon

Syslogs would start generating on screen.

capture the screen output in a text file.

To stop syslogs :

term no mon

Regards,

Sushil

i enable the logg as you said then go to my linux server and do traceroute 4.2.2.2

attached is the output

Suschoud,

The user uses the "-I" option. In linux, it

uses icmp for traceroute instead of random

UDP high-ports.

where are you CISCO SECURITY SPECIALEST.. Any help pleaseeee

hi there

have a look at the following link

Handling ICMP Pings and Traceroute:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml

if helpful Rate

I found it ....

ASA OS 7.2 have BUG..it cant decrement TTL so traceroute will not work, unless you upgrade to OS 8.3

BUG ID : CSCsk 76401

I guess iam the CISCO Specilaist ;)

Even if ICPM can be inspected and you can ping to the internet but when you do a trace to the same IP as you ping the firewall will block the returning traffic, I had the same problem until I allow icmp from any to the internal IPs as traffic hit the outside interface then everything worked.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: