Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Cisco ASA - Need to permit Ping and Traceroute

Hi,

 

I am able to ping my remote peers but can't trace.what am i missing here ? 

 

object-group service PING_TRACE
 service-object icmp
 service-object icmp traceroute
object-group network ICMP_ACCESS
 network-object 203.121.10.0 255.255.255.0
 network-object host 222.77.187.292
 network-object host 231.27.20.18
 network-object host 198.18.171.220
 network-object host 129.26.179.202
 network-object host 218.192.63.146
 network-object host 94.62.250.62
 


#sh access-list Test_access_in
access-list Test_access_in line 6 remark Allow set of hosts to PING and TRACE ANY outside - for monitoring.
access-list Test_access_in line 7 extended permit object-group PING_TRACE object-group ICMP_ACCESS any4 (hitcnt=0) 0x48a9083e
access-list Test_access_in line 7 extended permit icmp 203.121.10.0 255.255.255.0 any4 (hitcnt=0) 0xce1e8a24
access-list Test_access_in line 7 extended permit icmp host 222.77.187.292 any4 (hitcnt=0) 0xf57d731f
access-list Test_access_in line 7 extended permit icmp host 231.27.20.18 any4 (hitcnt=0) 0xb25e6675
access-list Test_access_in line 7 extended permit icmp host 198.18.171.220 any4 (hitcnt=0) 0xd1f4dfa4
access-list Test_access_in line 7 extended permit icmp host 129.26.179.202 any4 (hitcnt=87) 0x45874268
access-list Test_access_in line 7 extended permit icmp host 218.192.63.146 any4 (hitcnt=0) 0x737f20fb
access-list Test_access_in line 7 extended permit icmp host 94.62.250.62 any4 (hitcnt=0) 0x4223d717

 

#sh run access-group
access-group Test_access_in in interface Test1

 

#ping 231.27.20.18
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 211.27.20.10, ti

 

#traceroute 231.27.20.18 

Type escape sequence to abort.
Tracing the route to 231.27.20.18 

 1   *  *  *
 2   *  *  *
 3   *  *  *
 4   *  *  *
 5   *  *  *
 6   *  *

meout is 2 seconds:
!!!!!

 


#traceroute 231.27.20.18 source Test1

Type escape sequence to abort.
Tracing the route to 231.27.20.18

 1   *  *  *
 2   *  *  *

 

 

 

 

 

2 ACCEPTED SOLUTIONS

Accepted Solutions

Hi,   You need to enable icmp

Hi,

 

  You need to enable icmp error inspection to see all intermediate hosts.

 policy-map global_policy

 class inspection_default

  inspect icmp errors

Take a look to this Link to the command reference:

 http://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/I-R/cmdref2/i2.html#pgfId-1760544

The reason for such behavior is that by default ASA (a security device!) will hide all

hosts on path for ICMP time-exceeded messages behind NAT

Let me know how it works out,

 

Please don't forget to rate, and mark as Correct the helpful Post!

 

David Castro,

 

Regards,

Hi Kunal, It is a pleasure,

Hi Kunal,

 

It is a pleasure, let me know how it works out!

 

Also Please don't forget to rate, and mark as Correct the helpful Post!

 

Have a great day!

 

David Castro,

9 REPLIES

Hi,   You need to enable icmp

Hi,

 

  You need to enable icmp error inspection to see all intermediate hosts.

 policy-map global_policy

 class inspection_default

  inspect icmp errors

Take a look to this Link to the command reference:

 http://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/I-R/cmdref2/i2.html#pgfId-1760544

The reason for such behavior is that by default ASA (a security device!) will hide all

hosts on path for ICMP time-exceeded messages behind NAT

Let me know how it works out,

 

Please don't forget to rate, and mark as Correct the helpful Post!

 

David Castro,

 

Regards,

New Member

Hi dcastrof, Thanks a ton for

Hi dcastrof,

 

Thanks a ton for your input.Will test and verify if it works. Cheers !!!

 

Regards,

Kunal Tupe

Hi Kunal, It is a pleasure,

Hi Kunal,

 

It is a pleasure, let me know how it works out!

 

Also Please don't forget to rate, and mark as Correct the helpful Post!

 

Have a great day!

 

David Castro,

New Member

Hey David, Kudos .. IT works

Hey David,

 

Kudos .. IT works !!! . But is there any other way apart from this ?

 

Regards,

Kunal Tupe

 

Hi Kunal,  Since the Cisco

Hi Kunal,

 

 

Since the Cisco ASA acts as a Security appliance, it usually does not let you see when the packet goes across to it, it is a security measure, so this is the way we can make this to function as you are looking for. If you have another question please let me know!

 

Best Regards,

New Member

Hi David, Sorry for the

Hi David,

 

Sorry for the delayed response as i was not around.

 

Thanks for the information. Thanks for all the help :)

 

Best Regards,

Kunal Tupe

 

New Member

>>But is there any other way

>>But is there any other way apart from this ?

Cisco ASA 5500 Allowing Tracert

 

PL

 

Hi Kunal, I see, what happens

Hi Kunal,

 

I see, what happens is that I gave you the steps on this that TAC recommends, there might be certain different ways around something and they might work, though we usually follow the pertinent procedures and the recommended by Cisco.

 

I would recommend you to follow what I have posted, 

 

David Castro,

 

Regards, 

New Member

I also had to remove "IP

I also had to remove "IP reverse path" feature on the inbound interface as traceroute replies where comming from intermediate carrier hops with source address that is not routable accross firewall interface therefore they were dropped by "IP reverse path" feature and we could not see intermediate hops on the traceroute, only first and last. After "IP reverse path" was disabled on the transit/external interface traceroute started working. This is not a recommended practice but it was needed to get traceroute working in my case.

no ip verify reverse-path interface INTERFACE_NAME

 

HTH

Angel,

608
Views
0
Helpful
9
Replies