Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Traceroute through ASA v 7.2

I'm able to ping (From a windows machine) anything through the ASA but when trying to trace, I get "request time out" all the way until it actually hits the address. What commands are required to get all the hops to show up in a trace??

13 REPLIES
Gold

Re: Traceroute through ASA v 7.2

You need permit following ICMPs

access-list 101 permit icmp any any unreachable

access-list 101 permit icmp any any time-exceeded

access-list 101 permit icmp any any echo-reply

M.

New Member

Re: Traceroute through ASA v 7.2

If I create that ACL, where is it applied.

Gold

Re: Traceroute through ASA v 7.2

It should be inside interface of ASA... Do you have ACL aplied here?? If yes you should add those lines to this ACL

M.

New Member

Re: Traceroute through ASA v 7.2

I'm already permitting "icmp any" from the inside out. Do these have to be permitted individualy?

New Member

Re: Traceroute through ASA v 7.2

The access-list with the echo-reply should be on your Outside Interface.

Since you ping from inside to outside.

So it is the Outside host which replies to the echo...

If you have timed out AFTER the packet goes through ASA, it could be normal since not all routers on Internet reply to ping...

Best regards,

KH

New Member

Re: Traceroute through ASA v 7.2

JMS112080 -

Did you get this issued resolved? I'm experiencing the same thing. Trace route was working fine until last week, then I starting seeing the same thing you did. What was your resolution?

New Member

Re: Traceroute through ASA v 7.2

Not yet...Still seeing the same issue.

New Member

Re: Traceroute through ASA v 7.2

Hi. Is there a resolution for this issue ? I have just encountered the same.

Regards.

Re: Traceroute through ASA v 7.2

Hi,

The following ACLs should be applied:

On the inside ACL:

permit icmp any

On the outside ACL:

permit icmp any time-exceeded

permit icmp any unreachable

permit icmp any echo-reply

The trick is to use for the outside ACL the natted IP/subnet for your LAN.

If this doesn't work add on the outside ACL:

permit icmp any traceroute

You might want to try with ip any any on yhe inside ACL (the one facing the LAN) to identify where is the filtering incorrect.

In the future, when you need to troubleshoot, the "capture" command is priceless to see trffic hitting interfaces.

Please rate if this helped.

Regards,

Daniel

New Member

Re: Traceroute through ASA v 7.2

You need to do the following two items for Windows Tracert to work properly.

--------------------------------------------

access-list (inside) extended permit icmp any any echo

access-list (outside) extended permit icmp any any echo-reply

access-list (outside) extended permit icmp any any time-exceeded

UNIX/Linux Traceroute to work properly.

---------------------------------------------

I would say permit the same as above except add permit UDP 33433 and up.

New Member

Re: Traceroute through ASA v 7.2

Yes it works. Thanks.

New Member

Re: Traceroute through ASA v 7.2

Im having the same issue, however I would only like to allow ICMP 11 back into the asa

New Member

Hello,I know this has been a

Hello,

I know this has been a long time ago, but I'm facing the same issue in the ASA. Weirdly enough, I can reach the destination using traceroute with no problem, but I can't see the path to it. I pasted the result below.

I also checked my ASA configuration and the only setting that is not present is the "match any " for the "class-map class_default", because when I enter "class-map class_default" I get the following warning:


ASA(config)# class-map class-default
ERROR: % class-default is a well-known class and is not configurable under class-map

Can you guys help me? I posted below the tracert output and the concerned configuration. I can't find the misfit and I already checked most of the configuration forums.

C:\>tracert www.google.com

Tracing route to www.google.com [173.194.79.104]
over a maximum of 30 hops:

  1    <1 ms    <1 ms    <1 ms  10.0.0.1
  2     *        *        *     Request timed out.
  3     *        *        *     Request timed out.
  4     *        *        *     Request timed out.
  5     *        *        *     Request timed out.
  6     *        *        *     Request timed out.
  7     *        *        *     Request timed out.
  8     *        *        *     Request timed out.
  9     *        *        *     Request timed out.
 10     *        *        *     Request timed out.
 11     *        *        *     Request timed out.
 12     *        *        *     Request timed out.
 13     *        *        *     Request timed out.
 14     *        *        *     Request timed out.
 15     *        *        *     Request timed out.
 16     *        *        *     Request timed out.
 17     *        *        *     Request timed out.
 18     *        *        *     Request timed out.
 19     *        *        *     Request timed out.
 20     *        *        *     Request timed out.
 21     *        *        *     Request timed out.
 22     *        *        *     Request timed out.
 23   212 ms   212 ms   212 ms  pb-in-f104.1e100.net [173.194.79.104]

Trace complete.

---Router configuration

icmp unreachable rate-limit 10 burst-size 5
!
!
!
object-group service ICMP_Return
 service-object icmp echo-reply
 service-object icmp time-exceeded
 service-object icmp traceroute
 service-object icmp unreachable
 service-object icmp6 echo-reply
 service-object icmp6 time-exceeded
 service-object icmp6 unreachable
!
!
!
access-list IF_outside_access_in remark ICMP Return
access-list IF_outside_access_in extended permit object-group ICMP_Return any any
!
!
!
access-group IF_outside_access_in in interface IF_outside
!
!
!
class-map class_default
!--- This does not exit -> match any 
!
!
class-map inspection_default
 match default-inspection-traffic
!
!
!
policy-map global_policy
 class class-default
  set connection decrement-ttl
service-policy global_policy global

469
Views
15
Helpful
13
Replies
CreatePlease to create content