ASA Firewall does not show up in Traceroute. Also certain traceroute programs will not work due to this.
Example of a trace:
C:\>tracert -d 18.104.22.168
Tracing route to 22.214.171.124
over a maximum of 30 hops:
1 <1 ms <1 ms <1 ms 192.168.10.31 <-- Fictitious ip
2 <1 ms <1 ms <1 ms 192.168.1.1 <-- Fictitious ip
3 * * * Request timed out.
4 * * * Request timed out.
5 * * * Request timed out.
6 * * * Request timed out.
7 * * * Request timed out.
8 16 ms 16 ms 16 ms 126.96.36.199
I searched all over for a good document on how to allow traceroute through my firewall and have the firewall show up in the trace. There is some older documentation out there but it needs to be tweaked slightly for later code. Also, you may not want to set decrement-ttl for all icmp traffic.
In my case, I don not want to allow just anyone to run traceroute and see our firewall so I use a class map to only allow management vlan traffic to see firewall. At one time there was a vulnerability on the PIX 500 when setting this so that is partially why I don't like turning it on for everyone.
Here are the steps I used to meet my requirements above so that I can see every hop but only from a designated management network:
1. Add the following to your outside-in ACL. (With this ACL change, all computers will be able to traceroute however, they will not see the firewall as a hop because it does not decrement the TTL)
#access-list OUTSIDE_IN remark Allow ICMP Type 11 for Windows tracert
#access-list OUTSIDE_IN extended permit icmp any any time-exceeded
2. Identify the type of traffic and it's source using an ACL; in this case, ICMP traffic from the network 192.168.88.0 255.255.255.0
#access-list TRACE_ROUTE extended permit icmp 192.168.88.0 255.255.255.0 any
3. Classify that traffic using a class-map.
..# match access-list TRACE_ROUTE
4. Add classification to the Global Policy in addition to the "set connection decrement-ttl" command for this traffic.
...#set connection decrement-ttl
5. Add the following Command.
#icmp unreachable rate-limit 10 burst-size 5
Tracerout will now work and for the classified source you will now see the firewall in the trace.
Please rate this post if you find it helpful and also leave your comments if you see any problems or vulnerabilites with the above solution.