[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 42
  • Last Modified:

traceroute and Cisco ASA

I was trying to traceroute from my PC to 8.8.8.8 and it did not work. I can ping 8.8.8.8. Between my PC and 8.8.8.8 is the access switch and the Cisco ASA. Is it possible that the ASA block traceroute? If yes, how do I fix it. I need to allow some of my users to do traceroute.
0
leblanc
Asked:
leblanc
  • 4
  • 2
  • 2
  • +1
2 Solutions
 
nader alkahtaniNetwork EngineerCommented:
Tracerout may be  need to be permitted from Asa firewall see this article from the vendor http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/15246-31.html
0
 
Don JohnstonInstructorCommented:
Your ASA is blocking the ICMP TTL exceeded messages that are being sent from outside your network.

Find the ACL that is controlling inbound traffic and add a line like this:

access-list <ACL name> extended permit icmp any interface <outside interface name> time-exceeded
0
 
leblancAccountingAuthor Commented:
Nader Al-Kahtani,

Does the explanation of your link applicable to ASA 9.1 code?
0
Become a Leader in Data Analytics

Gain the power to turn raw data into better business decisions and outcomes in your industry. Transform your career future by earning your MS in Data Analytics. WGU’s MSDA program curriculum features IT certifications from Oracle and SAS.  

 
nader alkahtaniNetwork EngineerCommented:
Yes
0
 
leblancAccountingAuthor Commented:
I will try your advise next week. Thanks
0
 
Daniel SheppardNetwork Administrator/Engineer/ArchitectCommented:
You need to add the "decrement-ttl" in the service policy.

My recommendation is to edit your default class for the service policy like below and have that only decrement the TTL.  This should fix your problems:

policy-map global_policy
class class-default
set connection decrement-ttl
0
 
leblancAccountingAuthor Commented:
Rather than using policy-map, will this work, access-list <ACL name> extended permit icmp any interface <outside interface name> time-exceeded ?
0
 
Daniel SheppardNetwork Administrator/Engineer/ArchitectCommented:
You would perhaps need both (I have no idea how your access list is currently structured) but most ASA firewalls do not automatically decrement the TTL, which is why you require that command in the policy map (no way around it, it is required if you want the traceroute).
0
 
leblancAccountingAuthor Commented:
Great. I will try it next week. Thx
0

Featured Post

Get Cisco Certified in IT Security

There’s a high demand for IT security experts and network administrators who can safeguard the data that individuals, corporations, and governments rely on every day. Pursue your B.S. in Network Operations and Security and gain the credentials you need for this high-growth field.

  • 4
  • 2
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now