Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

ICMP Inspection and Traceroute

I'm setting up a ASA5520 (version 8.2(1))and would like to enable Traceroute from the Inside to the Outside. Most articles tell you to use ICMP Inspection instead of ACL's for this. ICMP Inspection appears to only allow replies that are from the destination IP and not the time-exceeded messages from the hops along the way.

ICMP Inspection allows Pings to work fine to the outside but when I try to traceroute, I will only receive the last reply from the destination, and all intermediary hops are timed out.

For example:

C:\Users\Craig>tracert -d

Tracing route to over a maximum of 30 hops

1 * * * Request timed out.

2 * * * Request timed out.

3 * * * Request timed out.

4 * * * Request timed out.

5 * * * Request timed out.

6 * * * Request timed out.

7 * * * Request timed out.

8 * * * Request timed out.

9 * * * Request timed out.

10 * * * Request timed out.

11 34 ms 33 ms 33 ms

Trace complete.

By enabling ICMP inspection, I can see how many hops away the destination is, but I'd also like to see the addresses of those hops.

I could add an ACL to allow ICMP time-exceeded messages in, but isn't that not recommended? And all these Cisco articles seem to imply that ICMP Inpection should handle traceroute with out ACL's:


So does ICMP inspection do anything but allow pings back? Shouldn't it know the state of a traceroute request and allow time-exceeded message back to the requesting computer?



New Member

Re: ICMP Inspection and Traceroute


Have you enabled ICMP error inspection as well? In order for the ASA to process ICMP error messages, you'll need to enable error inspection with the following command in your policy:

inspect icmp error




Cisco Employee

Re: ICMP Inspection and Traceroute

In addition to icmp and icmp error inspections, icmp time-exceeded needs to be allowed via access-list as well.

New Member

Re: ICMP Inspection and Traceroute

Turning on ICMP Error inspection didn't work (I think that is for inbound traceroute and I want outbound) and I was trying to be more secure by avoiding ICMP access-lists and hoping that ICMP Ispection would do that for me.

Is ICMP inspection only useful for echo-replies?

It appears ICMP inspection only allows ICMP replies from the destination computer. Which means it is useless for ICMP Time Exceeded and and Destination Unreachable messages since those messages can come from a intermediate hop. They have to be allowed via an access list to allow traceroute replies and PMTU Discovery messages.

I guess ICMP may work for Source Quench since those replies would come from the source.

Cisco Employee

Re: ICMP Inspection and Traceroute

I tested it before I wrote yesterday. I only had to add inspect icmp and inspect icmp error and allow time-exceeded to come back (for outbound trace route)

you are right icmp inspection is only allow one response to come back.

The ICMP inspection engine ensures that there is only one response for each request, and that the sequence number is correct.

inspect icmp error command creates xlates for intermediate hops that send ICMP error messages, based on the static/NAT configuration. By default, the security appliance hides the IP addresses of intermediate hops.

CreatePlease to create content