HI

I try by adding the above configuration but still i'm not able to traceroute to any IP Or public sites

raghu@mon:~$ traceroute 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
 1  sw1-core-107 (10.10.4.2)  0.567 ms  0.517 ms  0.460 ms
 2  * * *
 3  * * *
 4  * * *
 5  * * *
 6  * * *

raghu@mon:~$ traceroute google.com
traceroute to google.com (74.125.196.139), 30 hops max, 60 byte packets
 1  sw1-core-107 (10.10.4.2)  0.841 ms  0.802 ms  0.801 ms
 2  * * *
 3  * * *
 4  * * *
 5  * * *
 6  * * *
 7  * * *

i can able to ping any of the Public sites & IP's but i can't do  Traceroute from the Inside (Private) network

Hi,

Have you confirmed that no other device between the host and the firewall is not blocking this traffic?

Are you able to traceroute from the ASA CLI to the mentioned IP addresses?

- Jouni

hi

yes i can able to do traceroute to the IP's from the ASA

Hi,

Have you confirmed the other thing? I mean have you checked the network devices leading from the host to the ASA for any interface ACLs that could block/prevent the ICMP messages from reaching the host?

You also have the possibility to configure a traffic capture on the ASAs external and/or internal interface to capture the ICMP traffic and confirm exactly where the ICMP traffic stops.

- Jouni
 

Hi

please find the below ACL which i added to allow the Traceroute & icmp,

i can able to do ping to any of the public IP & sites from the inside hosts so icmp is allowed only i can't do the traceroute from the inside hosts,

fw-act# sh run | grep icmp
object-group icmp-type icmp-allowed
 icmp-object echo-reply
 icmp-object unreachable
 icmp-object echo
 icmp-object time-exceeded
 icmp-object traceroute
access-list outside_in extended permit icmp any any object-group icmp-allowed
access-list inside_in extended permit icmp any any object-group icmp-allowed
icmp unreachable rate-limit 10 burst-size 5
icmp permit any outside
icmp permit any inside
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  inspect icmp
  inspect icmp error

access-group outside_in in interface outside
access-group inside_in in interface inside

Hi,

Yes, but I am asking if there is another device in the LAN network that might prevent this ICMP return traffic that is generated by the devices in between your LAN host and the external server you are tracing?

Normal ICMP tends to work better because it involves only your LAN host and the destination server. The Traceroute involved your LAN host and all the router hops between it and the destination server.

Have you monitored the logs on the ASA while doing the traceroute to confirm if anything is blocked on the firewall related to it? You can open the ASDM and open the Monitor/Logging section and look for any denied traffic on the external interface when doing the trace.

But I would still suggest checking the network devices on your LAN so see if there is no interface ACLs there that might block the traffic.

- Jouni

hi

This host is connected to the L2 Switch which connect to Core switch3560 which connect to ASA, we not defined any ACL's on the Core switch

find the debug

ICMP echo request from inside:10.10.4.101 to outside:8.8.8.8 ID=18932 seq=0 len=68
ICMP echo request translating inside:10.10.4.101 to outside:173.140.15.83
ICMP echo reply from outside:8.8.8.8 to inside:173.140.15.83 ID=18932 seq=0 len=64
ICMP echo reply untranslating outside:173.140.15.83 to inside:10.10.4.101
 

Hi,

That to me seems like a simple ICMP Echo from the host to the server and a reply directly from the server to the host.

In a traceroute I would imagine I should be seeing the different IP addresses (from the internet routers in between) replying to the host with "Time to live exceeded in transit"

You can for example use Wireshark on your host to capture all traffic sent by it and that arrives to it and check if any devices in between are replying to the ICMP messages sent.

I guess you would also check your external ACL and see if there are any hitcounts on it (time-exceeded). Can you show us the output of

show access-list outside_in

- Jouni

fw-act# show access-list outside_in
access-list outside_in; 12 elements; name hash: 0xc5896c24
access-list outside_in line 1 extended permit icmp any any object-group icmp-allowed (hitcnt=221179) 0x4f3485dd
  access-list outside_in line 1 extended permit icmp any any echo-reply (hitcnt=221179) 0x46105ee8
  access-list outside_in line 1 extended permit icmp any any unreachable (hitcnt=113064) 0x1c800641
  access-list outside_in line 1 extended permit icmp any any echo (hitcnt=0) 0x80a148e1
  access-list outside_in line 1 extended permit icmp any any time-exceeded (hitcnt=33942) 0x2df45441
  access-list outside_in line 1 extended permit icmp any any traceroute (hitcnt=0) 0x77380270
access-list outside_in line 2 extended deny ip 127.0.0.0 255.0.0.0 any (hitcnt=0) 0x9645c259
access-list outside_in line 3 extended deny ip 192.0.0.0 255.255.255.0 any (hitcnt=0) 0xc9bbc42a
access-list outside_in line 4 extended deny ip 224.0.0.0 224.0.0.0 any (hitcnt=0) 0x4e1166f8
access-list outside_in line 5 extended deny ip 10.0.0.0 255.0.0.0 any (hitcnt=0) 0xd5a73d29
access-list outside_in line 6 extended deny ip 172.16.0.0 255.240.0.0 any (hitcnt=0) 0x381828f9
access-list outside_in line 7 extended deny ip 192.168.0.0 255.255.0.0 any (hitcnt=0) 0x96dc063f
access-list outside_in line 8 extended deny ip host 0.0.0.0 any (hitcnt=0) 0x5b0456ed

Hi,

Seems like there are hitcounts on the "time-exceeded" rule.

Can you try doing the traceroute from your L3 switch?

- Jouni

sw1-core-107#trace 8.8.8.8

Type escape sequence to abort.
Tracing the route to 8.8.8.8

  1  *  *  *
  2  *  *  *
  3  *  *  *
  4  *  *  *
  5  *  *  *
  6  *  *  *
  7  *  *  *
  8  *  *  *
  9  *  *  *

Trace route to ASA Inside Interface IP

sw1-core-107#traceroute 172.31.3.4

Type escape sequence to abort.
Tracing the route to 172.31.3.4

  1  *  *  *
  2  *  *  *
  3  *  *  *
  4  *  *  *
  5  *  *  *

i can't even do traceroute to ASA Inside interface   IP

But i can able to ping

sw1-core-107#ping 8.8.8.8

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/20/24 ms

sw1-core-107#ping 172.31.3.4

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.31.3.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms

HI

can any one help me regarding this issue