There are three steps to enable traceroute:
- In policy map “global_policy” in class “inspection_default” you need to add “inspect icmp” and “inspect icmp error”
- In policy map “global_policy” in class “class_default” you need to add “set connection decrement-ttl”
- On your oudside interface, you need add access list, that permits ICMP with “time-exceeded” on ingress direction
There is code, that you can paste in your ASA firewall:
policy-map global_policy class inspection_default inspect icmp inspect icmp error exit class class-default set connection decrement-ttl exit exit access-list OUTSIDE-IN extended permit icmp any any time-exceeded
ok