Solved

traceroute and Cisco ASA

Posted on 2015-01-25
10
34 Views
Last Modified: 2016-10-14
I was trying to traceroute from my PC to 8.8.8.8 and it did not work. I can ping 8.8.8.8. Between my PC and 8.8.8.8 is the access switch and the Cisco ASA. Is it possible that the ASA block traceroute? If yes, how do I fix it. I need to allow some of my users to do traceroute.
0
Comment
Question by:leblanc
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
  • 2
  • +1
10 Comments
 
LVL 8

Expert Comment

by:nader alkahtani
ID: 40569302
Tracerout may be  need to be permitted from Asa firewall see this article from the vendor http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/15246-31.html
0
 
LVL 50

Accepted Solution

by:
Don Johnston earned 250 total points
ID: 40569349
Your ASA is blocking the ICMP TTL exceeded messages that are being sent from outside your network.

Find the ACL that is controlling inbound traffic and add a line like this:

access-list <ACL name> extended permit icmp any interface <outside interface name> time-exceeded
0
 
LVL 1

Author Comment

by:leblanc
ID: 40569520
Nader Al-Kahtani,

Does the explanation of your link applicable to ASA 9.1 code?
0
Connect further...control easier

With the ATEN CE624, you can now enjoy a high-quality visual experience powered by HDBaseT technology and the convenience of a single Cat6 cable to transmit uncompressed video with zero latency and multi-streaming for dual-view applications where remote access is required.

 
LVL 8

Expert Comment

by:nader alkahtani
ID: 40569561
Yes
0
 
LVL 1

Author Comment

by:leblanc
ID: 40599348
I will try your advise next week. Thanks
0
 
LVL 6

Assisted Solution

by:Daniel Sheppard
Daniel Sheppard earned 250 total points
ID: 40599520
You need to add the "decrement-ttl" in the service policy.

My recommendation is to edit your default class for the service policy like below and have that only decrement the TTL.  This should fix your problems:

policy-map global_policy
class class-default
set connection decrement-ttl
0
 
LVL 1

Author Comment

by:leblanc
ID: 40599529
Rather than using policy-map, will this work, access-list <ACL name> extended permit icmp any interface <outside interface name> time-exceeded ?
0
 
LVL 6

Expert Comment

by:Daniel Sheppard
ID: 40599538
You would perhaps need both (I have no idea how your access list is currently structured) but most ASA firewalls do not automatically decrement the TTL, which is why you require that command in the policy map (no way around it, it is required if you want the traceroute).
0
 
LVL 1

Author Comment

by:leblanc
ID: 40599672
Great. I will try it next week. Thx
0

Featured Post

Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

#Citrix #Netscaler #MSSQL #Load Balance
The use of stolen credentials is a hot commodity this year allowing threat actors to move laterally within the network in order to avoid breach detection.
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…

729 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question