Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7072
Views
0
Helpful
3
Replies

How to tracert to outside in ASA 5505/5520?

zhangweihua
Level 1
Level 1

‎01-25-2010 10:20 PM - edited ‎03-11-2019 10:01 AM

Hi,everybody

The tracert issue have troubled me for a long time. I don't know how to deal with it. Pls give me some advice. Thanks!

Following is the details.

The network have two firewall(ASA 5505,ASA 5520) placed in different cities. And all person inside can reach the internet.

The problem is that we can ping internet IP from inside but can not tracert outside IP. It always reply us "request time out".

Why?

Somebody know that?

Labels:
0 Helpful
3 Replies 3

Kureli Sankar
Cisco Employee
Cisco Employee

‎01-26-2010 06:31 AM

You need the following:

inspect icmp

inspect icmp error

and also allow icmp unreachable and time-exceeded to come back in via acl applied on the outside interface.

Pls. follow this link:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml#topic0

-KS

0 Helpful

Ganesh Hariharan
VIP Alumni
VIP Alumni

‎01-26-2010 07:00 AM 

Hi,everybody
The tracert issue have troubled me for a long time. I don't know how to deal with it. Pls give me some advice. Thanks!
Following is the details.
The network have two firewall(ASA 5505,ASA 5520) placed in different cities. And all person inside can reach the internet.
The problem is that we can ping internet IP from inside but can not tracert outside IP. It always reply us "request time out".
Why?
Somebody know that?

Hi ,

You need to apply the following ACL in in direction of outside interface to allow ping and trace route from the internet to your dmz/inside servers.

access-list OUTSIDE_IN_ACL permit icmp any any echo-reply
access-list OUTSIDE_IN_ACL permit icmp any any time-exceeded   --- Traceroute purpose
access-group OUTSIDE_IN_ACL in interface outside

Hope it clear your query !!

Do rate if helpful !!

Ganesh.H

0 Helpful

adrianopinaffo1
Level 1
Level 1
In response to Ganesh Hariharan

‎08-21-2014 03:25 PM

Hello,

I know this has been a long time ago, but I'm facing the same issue in the ASA. Weirdly enough, I can reach the destination using traceroute with no problem, but I can't see the path to it. I pasted the result below.

I also checked my ASA configuration and the only setting that is not present is the "match any " for the "class-map class_default", because when I enter "class-map class_default" I get the following warning:


ASA(config)# class-map class-default
ERROR: % class-default is a well-known class and is not configurable under class-map

Can you guys help me? I posted below the tracert output and the concerned configuration. I can't find the misfit and I already checked most of the configuration forums.

C:\>tracert www.google.com

Tracing route to www.google.com [173.194.79.104]
over a maximum of 30 hops:

  1    <1 ms    <1 ms    <1 ms  10.0.0.1
  2     *        *        *     Request timed out.
  3     *        *        *     Request timed out.
  4     *        *        *     Request timed out.
  5     *        *        *     Request timed out.
  6     *        *        *     Request timed out.
  7     *        *        *     Request timed out.
  8     *        *        *     Request timed out.
  9     *        *        *     Request timed out.
 10     *        *        *     Request timed out.
 11     *        *        *     Request timed out.
 12     *        *        *     Request timed out.
 13     *        *        *     Request timed out.
 14     *        *        *     Request timed out.
 15     *        *        *     Request timed out.
 16     *        *        *     Request timed out.
 17     *        *        *     Request timed out.
 18     *        *        *     Request timed out.
 19     *        *        *     Request timed out.
 20     *        *        *     Request timed out.
 21     *        *        *     Request timed out.
 22     *        *        *     Request timed out.
 23   212 ms   212 ms   212 ms  pb-in-f104.1e100.net [173.194.79.104]

Trace complete.

---Router configuration

icmp unreachable rate-limit 10 burst-size 5
!
!
!
object-group service ICMP_Return
 service-object icmp echo-reply
 service-object icmp time-exceeded
 service-object icmp traceroute
 service-object icmp unreachable
 service-object icmp6 echo-reply
 service-object icmp6 time-exceeded
 service-object icmp6 unreachable
!
!
!
access-list IF_outside_access_in remark ICMP Return
access-list IF_outside_access_in extended permit object-group ICMP_Return any any
!
!
!
access-group IF_outside_access_in in interface IF_outside
!
!
!
class-map class_default
!--- This does not exit -> match any 
!
!
class-map inspection_default
 match default-inspection-traffic
!
!
!
policy-map global_policy
 class class-default
  set connection decrement-ttl
service-policy global_policy global

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card