Solved

traceroute and Cisco ASA

Posted on 2015-01-25
10
31 Views
Last Modified: 2016-10-14
I was trying to traceroute from my PC to 8.8.8.8 and it did not work. I can ping 8.8.8.8. Between my PC and 8.8.8.8 is the access switch and the Cisco ASA. Is it possible that the ASA block traceroute? If yes, how do I fix it. I need to allow some of my users to do traceroute.
0
Comment
Question by:leblanc
  • 4
  • 2
  • 2
  • +1
10 Comments
 
LVL 8

Expert Comment

by:nader alkahtani
ID: 40569302
Tracerout may be  need to be permitted from Asa firewall see this article from the vendor http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/15246-31.html
0
 
LVL 50

Accepted Solution

by:
Don Johnston earned 250 total points
ID: 40569349
Your ASA is blocking the ICMP TTL exceeded messages that are being sent from outside your network.

Find the ACL that is controlling inbound traffic and add a line like this:

access-list <ACL name> extended permit icmp any interface <outside interface name> time-exceeded
0
 
LVL 1

Author Comment

by:leblanc
ID: 40569520
Nader Al-Kahtani,

Does the explanation of your link applicable to ASA 9.1 code?
0
Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

 
LVL 8

Expert Comment

by:nader alkahtani
ID: 40569561
Yes
0
 
LVL 1

Author Comment

by:leblanc
ID: 40599348
I will try your advise next week. Thanks
0
 
LVL 6

Assisted Solution

by:Daniel Sheppard
Daniel Sheppard earned 250 total points
ID: 40599520
You need to add the "decrement-ttl" in the service policy.

My recommendation is to edit your default class for the service policy like below and have that only decrement the TTL.  This should fix your problems:

policy-map global_policy
class class-default
set connection decrement-ttl
0
 
LVL 1

Author Comment

by:leblanc
ID: 40599529
Rather than using policy-map, will this work, access-list <ACL name> extended permit icmp any interface <outside interface name> time-exceeded ?
0
 
LVL 6

Expert Comment

by:Daniel Sheppard
ID: 40599538
You would perhaps need both (I have no idea how your access list is currently structured) but most ASA firewalls do not automatically decrement the TTL, which is why you require that command in the policy map (no way around it, it is required if you want the traceroute).
0
 
LVL 1

Author Comment

by:leblanc
ID: 40599672
Great. I will try it next week. Thx
0

Featured Post

Easy, flexible multimedia distribution & control

Coming soon!  Ideal for large-scale A/V applications, ATEN's VM3200 Modular Matrix Switch is an all-in-one solution that simplifies video wall integration. Easily customize display layouts to see what you want, how you want it in 4k.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…

831 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question