tracert * * * request timed out?
By default if you do a Traceroute behind a Cisco ASA or PIX, you will notice that the ASA is missing in the Traceroute table. ie. the IP address of your ASA does not show up when you try to do a traceroute to an internet address.
Why does this happen?
Traceroute works by sending packets with gradually increasing TTL value, starting with TTL value = 1. The first router receives the packet, decrements the TTL value and drops the packet because it then has TTL value zero. The router sends an ICMP Time Exceeded message back to the source. The next set of packets are given a TTL value of 2, so the first router forwards the packets, but the second router drops them and replies with ICMP Time Exceeded. Proceeding in this way, traceroute uses the returned ICMP Time Exceeded messages to build a list of routers that packets traverse, until the destination is reached and returns an ICMP Echo Reply message.
In other words, the Cisco ASA was designed to hide itself as security measure by passing the ICMP packet through without decrementing the TTL.
How to fix this?
However, you can change this behavior by enabling the decrement TTL feature. Here’s how you do it.
ciscoasa(config)#policy-map global_policy ciscoasa(config-pmap)#class class-default ciscoasa(config-pmap-c)#set connection decrement-ttl
Or via the ASDM:
- Firewall > Service Policy Rules
- Edit class-default
- Go to the Connection Settings tab
- Under Time to Live > Check “Decrement time to live for a connection”
- OK & Save