Allowing tracert in Cisco ASA firewall

By | April 10, 2015

I was under impression that allowing icmp in the service policy will enable tracert to work. I was wrong. After scouting around I found below tweaks that will enable tracert to run correctly.

1. Set decrement TTL
ASA# configure terminal
ASA(config)# policy-map global_policy
ASA(config-pmap)# class class-default
ASA(config-pmap-c)# set connection decrement-ttl
ASA(config-pmap-c)# exit

2. Permit icmp control messages
ASA(config)# access-list inbound permit icmp any any time-exceeded
ASA(config)# access-list inbound permit icmp any any unreachable

3. Permit icmp connection, which you should already have 😀
ASA(config)# access-list outbound permit icmp any any



Incoming search terms:

  • https://advanxer com/blog/2015/04/allowing-tracert-in-cisco-asa-firewall/
  • allow traceroute asa
  • allow traceroute on asa
  • asdm enable traceroute
  • enable trace route in asa
  • enable tracerout asa