No matter what I do I can't make outbound traceroute through my ASA 5500 work. I've followed Cisco's recommendations and those from fellow posters here for similarly reported problems, but still no luck. What I see is a request time out at each hop except the final destination. I have the following set:
inspect icmp error
ACL on outside (public) interface:
access-list acl-public extended permit icmp any any echo-reply
access-list acl-public extended permit icmp any any echo
access-list acl-public extended permit icmp any any time-exceeded
access-list acl-public extended permit icmp any any source-quench
access-list acl-public extended permit icmp any any unreachable
Interestingly enough I can traceroute directly on the ASA to remote sites with no issue, but it fails from all hosts behind both the inside and DMZ interfaces.
I manage two other ASA/PIXs and have no issues with traceroute on those networks, but they are both running 8.0 and not 7.2 (not that this should matter.)
Any insight or diagnostic tricks to help determine what might be happening? Thanks!
One of the best tools to use when diagnosing situations like this are packet captures and syslogs. Looking at your configuration above, the only thing that you should really need from an access-list standpoint is 'time-exceeded'. The 'inspect icmp' and 'inspect icmp error' commands should cover the rest.
For the packet captures, you can do the following in 7.2:
access-list TAC extended permit icmp any any
capture capin int inside packet-l 1522 buffer 512000 access-list TAC
capture capout int public packet-l 1522 buffer 512000 access-list TAC
By doing a 'show capture capout', you will be able to see all of the packets that are sent from the ASA's outside interface and what is received. If you download these capture files from the ASA (the easiest way is often 'http:///capture//pcap'), you can open this file in Wireshark/Ethereal, you can read all of the details of the flow(s).
I didn't find any bugs that are related to this issue but there have been a number of bugs resolved since 7.2(2).
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...