Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 50
  • Last Modified:

traceroute and Cisco ASA

I was trying to traceroute from my PC to 8.8.8.8 and it did not work. I can ping 8.8.8.8. Between my PC and 8.8.8.8 is the access switch and the Cisco ASA. Is it possible that the ASA block traceroute? If yes, how do I fix it. I need to allow some of my users to do traceroute.
0
leblanc
Asked:
leblanc
  • 4
  • 2
  • 2
  • +1
2 Solutions
 
nader alkahtaniNetwork EngineerCommented:
Tracerout may be  need to be permitted from Asa firewall see this article from the vendor http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/15246-31.html
0
 
Don JohnstonInstructorCommented:
Your ASA is blocking the ICMP TTL exceeded messages that are being sent from outside your network.

Find the ACL that is controlling inbound traffic and add a line like this:

access-list <ACL name> extended permit icmp any interface <outside interface name> time-exceeded
0
 
leblancAccountingAuthor Commented:
Nader Al-Kahtani,

Does the explanation of your link applicable to ASA 9.1 code?
0
Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

 
nader alkahtaniNetwork EngineerCommented:
Yes
0
 
leblancAccountingAuthor Commented:
I will try your advise next week. Thanks
0
 
Daniel SheppardNetwork Administrator/Engineer/ArchitectCommented:
You need to add the "decrement-ttl" in the service policy.

My recommendation is to edit your default class for the service policy like below and have that only decrement the TTL.  This should fix your problems:

policy-map global_policy
class class-default
set connection decrement-ttl
0
 
leblancAccountingAuthor Commented:
Rather than using policy-map, will this work, access-list <ACL name> extended permit icmp any interface <outside interface name> time-exceeded ?
0
 
Daniel SheppardNetwork Administrator/Engineer/ArchitectCommented:
You would perhaps need both (I have no idea how your access list is currently structured) but most ASA firewalls do not automatically decrement the TTL, which is why you require that command in the policy map (no way around it, it is required if you want the traceroute).
0
 
leblancAccountingAuthor Commented:
Great. I will try it next week. Thx
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

The 14th Annual Expert Award Winners

The results are in! Meet the top members of our 2017 Expert Awards. Congratulations to all who qualified!

  • 4
  • 2
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now