I have ASA 5505.... from my LAN i can ping internet devices but i cant Traceroute it !!
I tried everything i found in cisco:
1- ACL: i allowed all kind ICMP , IP, UDP , TCP in Inside and outside
2- ICMP Inspect
3-set connection decrement-ttl
my lan device is UNIX
and i can do traceroute from the ASA
and attached my SHOW RUN
Oops....you have unix server on inside..hmmm.UNIX uses udp for traceroute.
could you please take syslogs at the debugging level....they would tell you exactly what is being blocked.
Can you remove access-list bound to inside interface and then try.
no access-group inside_access_in in interface inside
Hi every one i tried what u asked .
i tried traceroutr -n -I 184.108.40.206 and i get this
root@vashouse03:~# traceroute -n -I 220.127.116.11
traceroute to 18.104.22.168 (22.214.171.124), 30 hops max, 40 byte packets
1 * * *
2 * * *
3 * * *
4 * * *
5 * * *
6 * * *
7 * * *
8 126.96.36.199 195.437 ms 207.442 ms 212.364 ms
i added inspect icmp error
and tried and same...
the i removed the ACL from inside interface , and i get nothing ...
any idea please..
i dont understand (syslogs at the debugging level.)
you mean on my ASA make Debug ICMP TRACE ??
if yes what level you want.
or from my server?
if you mean from ASA command i used it and do traceroute 188.8.131.52 from my server , and i get nothing on my ASA!!!
if i use traceroute -n -I 184.108.40.206 i get the attached output
Taking syslogs :
Access asa via telnet/ssh
logg mon 7
Syslogs would start generating on screen.
capture the screen output in a text file.
To stop syslogs :
term no mon
have a look at the following link
Handling ICMP Pings and Traceroute:
if helpful Rate
I found it ....
ASA OS 7.2 have BUG..it cant decrement TTL so traceroute will not work, unless you upgrade to OS 8.3
BUG ID : CSCsk 76401
I guess iam the CISCO Specilaist ;)