Make Your ASA Show Up in a Traceroute – Enable TTL Decrement

If you’ve been blessed, or cursed, with working in an environment with several network segments separated by routers and Cisco ASA firewalls you know that troubleshooting can be tricky.

One of the first and most basic troubleshooting steps when tracking down a communication issue is to run a traceroute and make sure routing works.

Unfortunately, when you have a firewall in the loop it does not show up in the traceroute.

Fortunately, at least with the Cisco ASA, we can fix this!

But first, lets look at why this happens…

Why do Cisco ASA firewalls not show up in traceroute?

When you run a traceroute from a device such as a router or PC, the device sends either a UDP datagram or ICMP packet with a TTL (that’s Time-To-Live) of 1. The TTL gets decremented by the first device in the path and that device sends back an ICMP TEM (that’s Time Exceeded Message), which populates your traceroute with the IP of that device.

The initiating device then sends another UDP datagram or ICMP packet with a TTL of 2 which is decremented by the second device and returns a ICMP TEM, populating your traceroute with the seconds device’s IP.

And so on….

By default, ASA does not decrement the TTL when a traceroute hits the firewall. Therefor it doesn’t send back an ICMP TEM. This stops the ASA from showing up as a hop in the path during the traceroute.

Now the ASA does this because it’s a security device and you don’t always want your security device to advertise its presence to the world.

To change this behavior, we have to tell the firewall to decrement the TTL.

Here is how:

ASA Fix: Add Class-Map to Force ASA to Decrement TTL

Enabling “set connection decrement-ttl” on the ASA will allow the ASA to show up as a hop in the path of a traceroute.

To do this we can make a modification to the default policy map (assuming you’re using the default policy-map, which most likely you are) by adding a new class-map containing the command above. We can do this with the following command:

class-map traceroute
 match any
policy-map global_policy
 class traceroute
  set connection decrement-ttl

If you re-run your traceroute you’ll now see the IP of the interface on your ASA that is facing you.

Another, more secure, option for implementing this would be to apply the above class-map to a policy on a specific interface instead of globally.

FTD Fix: Add Class-Map via FlexConfig in FMC to Decrement TTL

To make the same change we made on the ASA to an appliance running FTD we need to use Firepower Management Center.

  1. Open FMC and go to Objects -> Object Management -> FlexConfig -> FlexConfig Object
  2. Click on Add FlexConfig Object
  3. Type in a Name and Description
  4. Select Once next to Deployment
  5. Select Append next to Type
  6. Enter the following command text in the command field:
policy-map global_policy
 class class-default
  set connection decrement-ttl
  1. Click Save
  2. Go to Devices -> FlexConfig
  3. Click on New Policy
  4. Type in a Name, Description, and add the Device you want to apply the policy to
  5. Click Save
  6. Under User Defined, click on the FlexConfig object you created earlier and add to the new policy.
  7. Save the policy
  8. Deploy the policy.

At this point you should be able to see your ASA in your traceroutes. If you have a lot of ASAs that you want to apply this change to I highly recommend checking out Solarwinds Network Configuration Manager (NCM) to automate pushing this to all of them (without needing to know a single line of code) and save yourself a ton of work.

I use NCM for all of my bulk command line changes on my Cisco ASAOS and IOS devices.

Good luck!

Recommended for You: Solarwinds Network Configuration Manager (NCM)

What would you do if one of your pieces of networking equipment failed? Could you rebuild it quickly? Do you know exactly what configuration it had? What ports were on what vlan? What about port channels?

You get the point.

Automate backing up configurations and updating of all your switching, routing, and firewall equipment without needing to know a single line of code with Solarwinds Network Configuration Manager.

This is one of those tools that pays for itself in man hours the first time you need to rely on it. Plus, you’ll sleep easier knowing you really have backed up all the things.

Chase Smith, CCNP

Chase Smith, CCNP is a Network Engineer III who has spent the last decade elbow deep in enterprise system administration and networking. He can usually be found trying to warm up behind the storage in the datacenter.

Leave a Reply

Your email address will not be published. Required fields are marked *