cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
960
Views
0
Helpful
6
Replies

ASA5515x - Need to allow traceroute

Steve Coady
Level 1
Level 1

Hello

 

I have a Guest wireless network running through an ASA5515x that has no access to internal services.

 

I have implemented the following in hopes to allow traceroute thru but when I run from cmd, no hops reported. *   *   *!!!

access-group Guest_Wireless_access_in in interface outside

access-list Guest_Wireless_access_in extended permit icmp any any echo-reply

access-list Guest_Wireless_access_in extended permit icmp any any unreachable
access-list Guest_Wireless_access_in extended permit icmp any any time-exceeded

 

 

Please review and advise.

 

 

 

 

 

 

sMc
2 Accepted Solutions

Accepted Solutions

Bikramjit Majumdar
Cisco Employee
Cisco Employee
Hello Steve, This document should answer all your question. http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/15246-31.html#trace Let me know if it helps. Regards, Bikramjit *Do rate helpful posts*

View solution in original post

Hello Steve, Hw wise there are lots of differences. Sw wise it depends what software you're running on 5515 because 8.3 onwards the nat rule and it's implementation changes on ASA. For this traceroute config, the example on the document should work for you. Regards, BIkram *Do rate helpful posts*

View solution in original post

6 Replies 6

Bikramjit Majumdar
Cisco Employee
Cisco Employee
Hello Steve, This document should answer all your question. http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/15246-31.html#trace Let me know if it helps. Regards, Bikramjit *Do rate helpful posts*

Bimajumd

 

Thank you for the reply.

 

Is there a difference between the Pix 500 and an ASA5515x for this type of config?

sMc

Hello Steve, Hw wise there are lots of differences. Sw wise it depends what software you're running on 5515 because 8.3 onwards the nat rule and it's implementation changes on ASA. For this traceroute config, the example on the document should work for you. Regards, BIkram *Do rate helpful posts*

Hello

 

Just to make sure i  follow you

 

I am on inside of network behind ASA with a 192.168 x.x address and I am trying to issue tracert from my command line to youtube and I get all *   *   *. 

 

This doc looks like it discusses being on outside and trying to traceroute to asa

 

 

sMc

Take a look at this guide.

http://www.packetu.com/2009/10/09/traceroute-through-the-asa/

 

Hello Steve, Add the below MPF on ASA apart from the ACL which you need to add on the outside interface should work. ASA# configure terminal ASA(config)# policy-map global_policy ASA(config-pmap)# class class-default ASA(config-pmap-c)# set connection decrement-ttl ASA(config-pmap-c)# exit ASA(config-pmap)# exit Reason: ASA itself does not decrease the TTL as it passes traffic and to rectify this we need to make a small change to the global inspection policy via modular policy framework (MPF). Regards, Bikram *Do rate helpful posts*
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: