Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

doing outbound traceroutes thru ASA5520

I cannot do outbound traceroutes from clients on the inside network to the Internet. I have allowed icmp outbound on the inside interface and allowed icmp echo-reply,unreachable and time-exceeded inbound on the outside interface. I still time outs on each hop till the destination.

Inbound UDP connections need to be allowed only if you want to perform inbound traceroutes thru the ASA, Am I right?

  • Other Security Subjects
1 REPLY

Re: doing outbound traceroutes thru ASA5520

Hello,

this might have to do with the device you perform the traceroute.

Unix systems (all?) and IOS uses UDP packets to an unused port (33434) to execute the traceroute. Those packets have to be allowed to leave your internal network, otherwise traceroute will not work.

On Microsoft Windows (all?) systems ICMP is used instead.

Hope this helps! Please rate all posts.

Martin

110
Views
0
Helpful
1
Replies
This widget could not be displayed.