Hi Nick, the outgoing packets are UDP but the packets coming back schould be icmp ttl expired, that is why I allowed icmp.
I just tried to allow anything and out without any change, so I guess this is not rule-related at all. Any other ideas? kind regards Rolf > Traceroutes from ASA / routers use UDP not ICMP > > You can "inspect ICMP error" as well as allow the ICMP and UDP traceroute > versions of the message you need - this is my traceroute config I use on > client contexts: > > Note these firewalls are non-internet facing so security is less important > to me than troubleshooting. > > access-list outside_access_in extended permit icmp any any unreachable > access-list outside_access_in extended permit icmp any any traceroute > access-list outside_access_in extended permit icmp any any time-exceeded > > policy-map global_policy > class inspection_default > inspect icmp > inspect icmp error > > > -----Original Message----- > From: cisco-nsp [mailto:[email protected]] On Behalf Of > "Rolf Hanßen" > Sent: 16 March 2016 10:58 > To: [email protected] > Subject: [c-nsp] traceroute from ASA with source IP from inside interface > > Hi, > > I am new to ASA and wondering about the traceroute (and ping) behaviour. > I wanted to trace/ping with the IP address of the internal interface, but > anything I try results in stars: > > ASA# traceroute 8.8.8.8 source inside > > Type escape sequence to abort. > Tracing the route to 8.8.8.8 > > 1 * * * > 2 * * * > > Tracing without setting a source (or "source outside") works fine. > I create a rule for the internal interface towards dst any service ip. > There is also a rule on the outside interface to allow icmp. > I replace "inside" with the IP. > Traceroutes from servers attached to the inside interface work fine. > > There is no control plane policy set. > > Is this a bug or some strange "security feature"? > Is there another part that maybe filters such traffic? > In the management access section I see only https/asdm/ssh/telnet. > > Maybe somebody can explain. > > kind regards > Rolf > > > _______________________________________________ > cisco-nsp mailing list [email protected] > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
