Solved

traceroute and Cisco ASA

Posted on 2015-01-25
10
36 Views
Last Modified: 2016-10-14
I was trying to traceroute from my PC to 8.8.8.8 and it did not work. I can ping 8.8.8.8. Between my PC and 8.8.8.8 is the access switch and the Cisco ASA. Is it possible that the ASA block traceroute? If yes, how do I fix it. I need to allow some of my users to do traceroute.
0
Comment
Question by:leblanc
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
  • 2
  • +1
10 Comments
 
LVL 8

Expert Comment

by:nader alkahtani
ID: 40569302
Tracerout may be  need to be permitted from Asa firewall see this article from the vendor http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/15246-31.html
0
 
LVL 50

Accepted Solution

by:
Don Johnston earned 250 total points
ID: 40569349
Your ASA is blocking the ICMP TTL exceeded messages that are being sent from outside your network.

Find the ACL that is controlling inbound traffic and add a line like this:

access-list <ACL name> extended permit icmp any interface <outside interface name> time-exceeded
0
 
LVL 1

Author Comment

by:leblanc
ID: 40569520
Nader Al-Kahtani,

Does the explanation of your link applicable to ASA 9.1 code?
0
Do you have a plan for Continuity?

It's inevitable. People leave organizations creating a gap in your service. That's where Percona comes in.

See how Pepper.com relies on Percona to:
-Manage their database
-Guarantee data safety and protection
-Provide database expertise that is available for any situation

 
LVL 8

Expert Comment

by:nader alkahtani
ID: 40569561
Yes
0
 
LVL 1

Author Comment

by:leblanc
ID: 40599348
I will try your advise next week. Thanks
0
 
LVL 6

Assisted Solution

by:Daniel Sheppard
Daniel Sheppard earned 250 total points
ID: 40599520
You need to add the "decrement-ttl" in the service policy.

My recommendation is to edit your default class for the service policy like below and have that only decrement the TTL.  This should fix your problems:

policy-map global_policy
class class-default
set connection decrement-ttl
0
 
LVL 1

Author Comment

by:leblanc
ID: 40599529
Rather than using policy-map, will this work, access-list <ACL name> extended permit icmp any interface <outside interface name> time-exceeded ?
0
 
LVL 6

Expert Comment

by:Daniel Sheppard
ID: 40599538
You would perhaps need both (I have no idea how your access list is currently structured) but most ASA firewalls do not automatically decrement the TTL, which is why you require that command in the policy map (no way around it, it is required if you want the traceroute).
0
 
LVL 1

Author Comment

by:leblanc
ID: 40599672
Great. I will try it next week. Thx
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Transferring data across the virtual world became simpler but protecting it is becoming a real security challenge.  How to approach cyber security  in today's business world!
Keystroke loggers have been around for a very long time. While the threat is old, some of the remedies are new!
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
This tutorial will teach you the special effect of super speed similar to the fictional character Wally West aka "The Flash" After Shake : http://www.videocopilot.net/presets/after_shake/ All lightning effects with instructions : http://www.mediaf…

628 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question