Configure the ASA to show as a hop in trace routes

Sometimes you want the ASA to show up as a hop in a traceroute to the internet. Here are the commands to allow that.

class-map class-default
 match any

policy-map global_policy
 class class-default
  set connection decrement-ttl
exit
exit
 service-policy global_policy global
  icmp unreachable rate-limit 10 burst-size 5

access-list outside_in remark Allow ICMP Type 11 for traceroute
access-list outside_in extended permit icmp any any unreachable
access-list outside_in extended permit icmp any any time-exceeded
access-list outside_in extended permit icmp any any echo-reply

access-group outside_in in interface outside

Leave a Reply

Your email address will not be published.

Time limit is exhausted. Please reload CAPTCHA.