IT technical memo of networking

Cisco ASA traceroute settings via NAPT


Some of the settings to ensure proper operation of the traceroute in an environment that uses a Cisco ASA as a NAT router is required.
NAPT in the Internet connection part, inspect, ACL, note for reviewing the various settings, such as policy-map.

Cisco, Linux of traceroute mechanism, the difference, set to FW pass here.

Allow the Cisco and Linux traceroute in Firewall - designetwork(EN)


Network configuration

Cisco ASA connect to the internet with PPPoE ( Dynamic IP ).
To access the internet, with SrcNAPT ( PAT ), none DstNAT.

Security Level
 inside(management):SecLevel 100
 outside(internet) :SecLevel 0

Access Rules
 inside -> outside : no access rules(SecLevel permission)
 outside -> inside : deny any

Use version

Cisco ASA :9.2(3) Cisco ADSM:7.2(1)

Set to pass a traceroute in ASA

In my environment, it was carried out the following types of changes.
It described the result of the comparison of the DF to show the before / after item.

       |                                                  ||00084 R|object-group icmp-type DM_INLINE_ICMP_1           
       |                                                  ||00085 R| icmp-object time-exceeded                        
       |                                                  ||00086 R| icmp-object unreachable                          
00084  |access-list Web extended permit tcp any any eq www||00089  |access-list Web extended permit tcp any any eq www
       |                                                  ||00090 R|access-list Web extended permit icmp any any objec
00094 L|icmp unreachable rate-limit 1 burst-size 1        ||00100 R|icmp unreachable rate-limit 10 burst-size 5       
00100 L|nat (management,outside) source static any interfa||00106 R|nat (management,outside) source dynamic Internet-P
00101  |access-group Web in interface outside             ||00107  |access-group Web in interface outside             
       |                                                  ||00210 R|class-map ttl                                     
       |                                                  ||00211 R| match any                                        
00210  |policy-map global_policy                          ||00218  |policy-map global_policy                          
00211  | class inspection_default                         ||00219  | class inspection_default                         
       |                                                  ||00235 R|  inspect icmp                                    
       |                                                  ||00236 R|  inspect icmp error                              
       |                                                  ||00237 R| class ttl                                        
       |                                                  ||00238 R|  set connection decrement-ttl                    

Allow ICMP return packet with outside

It displays the following of and to allow each become possible.
time-exceeded:via hop
unreachable:target host

object-group icmp-type DM_INLINE_ICMP_1
 icmp-object time-exceeded
 icmp-object unreachable
access-list Web extended permit icmp any any object-group DM_INLINE_ICMP_1 
access-group Web in interface outside

By the way, ICMP Type traceroute There was no difference in work with allow / deny.

ICMP packet receive buffer adjustment

If you do not and here of the setting, it takes time to hop display.

icmp unreachable rate-limit 10 burst-size 5

ICMP inspection setting in NAPT(PAT)

The ICMP header at the time of hop detection of traceroute UDP header of the original packet is taken over.
Put connections and string of NAT (NAPT / PAT) by making sure to inspect the contents of the ICMP header.

policy-map global_policy
 class inspection_default
  inspect icmp 
  inspect icmp error 

NAPT configuration error

Did the wrong set at the time of initial construction, NAPT was not be set as expected.

nat (management,outside) source static any interface  
nat (management,outside) source dynamic Internet-PAT interface

By the way, NAPT configuration error at the time Log in
Src: (Global) Dst:
Is displayed, it was not able to process the return packet.
Inspection is considered to not work properly.

To counts the ASA as traceroute hop

Cisco ASA does not decrement the TTL of the passing packet by default.
Therefore, packets of traceroute as it is transferred, does not appear not counted as a hop.

TTL decrement (= traceroute display) can be performed with the following settings.

class-map ttl
 match any
policy-map global_policy
class ttl
  set connection decrement-ttl

The class name is appropriately changed.

Cisco official information

There is a similar discussion with Cisco Support Community.
Since the ASA Version has a new, there is a story, such as also become necessary inspect icmp error.

traceroute output result

The results are as follows of the traceroute from Linux after the above settings change.


Immediately Request Timed Out ...

[root@CentOS-01 ~]# traceroute
traceroute to (, 30 hops max, 60 byte packets
1 * * *
2 * * *
3 * * *
4 * * *
5 * * *
6 * * *
7 * * *
8 * * *
9 * * *


It came to be traceroute display normally.
(The most recent of the host is masked)

[root@CentOS-01 ~]# traceroute
traceroute to (, 30 hops max, 60 byte packets
1 gateway ( 3.603 ms 3.534 ms 4.618 ms
2 133.160.xx.xx (133.160.xx.xx) 6.507 ms 7.588 ms 7.583 ms
3 133.160.xx.xx (133.160.xx.xx) 6.430 ms 8.271 ms 8.244 ms
4 ( 18.182 ms 27.957 ms 27.933 ms
5 ( 8.054 ms ( 8.850 ms 9.808 ms
6 ( 10.662 ms 4.739 ms 6.580 ms
7 ( 7.627 ms 7.643 ms 7.614 ms
8 ( 7.601 ms ( 7.597 ms ( 9.421 ms
9 ( 10.523 ms 10.470 ms 10.373 ms

This Blog is English Version of my JP's.

Sorry if my English sentences are incorrect.