Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

ASA not allowing trace

Hi,

We have ASA5550 firwalling our LAN from internet,ICMP is open any any both way for test, but when we do trace to a public address on internet , ASA is not showing all the hops along the line. any idea ?

Regards,

7 REPLIES

Re: ASA not allowing trace

You need to configure the ASA to decrement the TTL in the traceroute - however there is a security advisory about this, the vulnerability is fixed in software version 7.2(3)6 or 8.0(3) and later.

HTH>

Community Member

Re: ASA not allowing trace

Thanks Andy,

Can you send me an example.

Regards,

Re: ASA not allowing trace

Sure - try:-

!

policy-map global_policy

class class-default

set connection decrement-ttl

!

HTH>

Community Member

Re: ASA not allowing trace

Andy,

We are not doing any Qos on ASA,is this the only way?

We are running verison 8.04 IOS.

Regards,

Re: ASA not allowing trace

That is not QoS configuration - it is amending the default policy that exists in the ASA.

There is no other way to configure the ASA to show itself as a hop in a trace route - the ASA will NOT decrement the TTL unless told to.

Community Member

Re: ASA not allowing trace

Thanks Andy,

Can you send me an example.

Regards,

Re: ASA not allowing trace

see my previous post.

286
Views
5
Helpful
7
Replies
CreatePlease to create content