Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA5515x - Need to allow traceroute

Hello

 

I have a Guest wireless network running through an ASA5515x that has no access to internal services.

 

I have implemented the following in hopes to allow traceroute thru but when I run from cmd, no hops reported. *   *   *!!!

access-group Guest_Wireless_access_in in interface outside

access-list Guest_Wireless_access_in extended permit icmp any any echo-reply

access-list Guest_Wireless_access_in extended permit icmp any any unreachable
access-list Guest_Wireless_access_in extended permit icmp any any time-exceeded

 

 

Please review and advise.

 

 

 

 

 

 

sMc
2 ACCEPTED SOLUTIONS

Accepted Solutions
Cisco Employee

Hello Steve,

Hello Steve, This document should answer all your question. http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/15246-31.html#trace Let me know if it helps. Regards, Bikramjit *Do rate helpful posts*
Cisco Employee

Hello Steve,

Hello Steve, Hw wise there are lots of differences. Sw wise it depends what software you're running on 5515 because 8.3 onwards the nat rule and it's implementation changes on ASA. For this traceroute config, the example on the document should work for you. Regards, BIkram *Do rate helpful posts*
6 REPLIES
Cisco Employee

Hello Steve,

Hello Steve, This document should answer all your question. http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/15246-31.html#trace Let me know if it helps. Regards, Bikramjit *Do rate helpful posts*
New Member

Bimajumd Thank you for the

Bimajumd

 

Thank you for the reply.

 

Is there a difference between the Pix 500 and an ASA5515x for this type of config?

sMc
Cisco Employee

Hello Steve,

Hello Steve, Hw wise there are lots of differences. Sw wise it depends what software you're running on 5515 because 8.3 onwards the nat rule and it's implementation changes on ASA. For this traceroute config, the example on the document should work for you. Regards, BIkram *Do rate helpful posts*
New Member

Hello Just to make sure i 

Hello

 

Just to make sure i  follow you

 

I am on inside of network behind ASA with a 192.168 x.x address and I am trying to issue tracert from my command line to youtube and I get all *   *   *. 

 

This doc looks like it discusses being on outside and trying to traceroute to asa

 

 

sMc

Take a look at this guide

Take a look at this guide.

http://www.packetu.com/2009/10/09/traceroute-through-the-asa/

 

Cisco Employee

Hello Steve,

Hello Steve, Add the below MPF on ASA apart from the ACL which you need to add on the outside interface should work. ASA# configure terminal ASA(config)# policy-map global_policy ASA(config-pmap)# class class-default ASA(config-pmap-c)# set connection decrement-ttl ASA(config-pmap-c)# exit ASA(config-pmap)# exit Reason: ASA itself does not decrease the TTL as it passes traffic and to rectify this we need to make a small change to the global inspection policy via modular policy framework (MPF). Regards, Bikram *Do rate helpful posts*
291
Views
0
Helpful
6
Replies