Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Traceroute through ASA 5500 7.2(2)

No matter what I do I can't make outbound traceroute through my ASA 5500 work. I've followed Cisco's recommendations and those from fellow posters here for similarly reported problems, but still no luck. What I see is a request time out at each hop except the final destination. I have the following set:

Policy:

policy-map global_policy

class inspection_default

inspect icmp

inspect icmp error

ACL on outside (public) interface:

access-list acl-public extended permit icmp any any echo-reply

access-list acl-public extended permit icmp any any echo

access-list acl-public extended permit icmp any any time-exceeded

access-list acl-public extended permit icmp any any source-quench

access-list acl-public extended permit icmp any any unreachable

Interestingly enough I can traceroute directly on the ASA to remote sites with no issue, but it fails from all hosts behind both the inside and DMZ interfaces.

I manage two other ASA/PIXs and have no issues with traceroute on those networks, but they are both running 8.0 and not 7.2 (not that this should matter.)

Any insight or diagnostic tricks to help determine what might be happening? Thanks!

2 REPLIES
Cisco Employee

Re: Traceroute through ASA 5500 7.2(2)

One of the best tools to use when diagnosing situations like this are packet captures and syslogs. Looking at your configuration above, the only thing that you should really need from an access-list standpoint is 'time-exceeded'. The 'inspect icmp' and 'inspect icmp error' commands should cover the rest.

For the packet captures, you can do the following in 7.2:

access-list TAC extended permit icmp any any

capture capin int inside packet-l 1522 buffer 512000 access-list TAC

capture capout int public packet-l 1522 buffer 512000 access-list TAC

By doing a 'show capture capout', you will be able to see all of the packets that are sent from the ASA's outside interface and what is received. If you download these capture files from the ASA (the easiest way is often 'http:///capture//pcap'), you can open this file in Wireshark/Ethereal, you can read all of the details of the flow(s).

I didn't find any bugs that are related to this issue but there have been a number of bugs resolved since 7.2(2).

New Member

Re: Traceroute through ASA 5500 7.2(2)

Must have been a bug in 7.2(2). I updated to 7.2(4) and it fixed it. Thanks.

515
Views
0
Helpful
2
Replies