Menu Close

Enabling traceroute on Cisco ASA

There are three steps to enable traceroute:

  1. In policy map “global_policy” in class “inspection_default” you need to add “inspect icmp” and “inspect icmp error”
  2. In policy map “global_policy” in class “class_default” you need to add “set connection decrement-ttl”
  3. On your oudside interface, you need add access list, that permits ICMP with “time-exceeded” on ingress direction

There is code, that you can paste in your ASA firewall:

policy-map global_policy
  class inspection_default
    inspect icmp
    inspect icmp error
    exit
  class class-default
    set connection decrement-ttl
    exit
  exit
access-list OUTSIDE-IN extended permit icmp any any time-exceeded

 

1 Comment

Leave a Reply

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.