To allow any of the devices inside your network to perform a traceroute on the Internet. You'll need to enable setup a access-list which allows icmp echo-reply & time-exceeded.
access-list outside_to_inside permit icmp any any echo-reply
access-list outside_to_inside permit icmp any any time-exceeded
access-group outside_to_inside in interface outside
user@host ~ $ traceroute -I www.google.com
traceroute: Warning: www.google.com has multiple addresses; using 64.233.169.99
traceroute to www.l.google.com (64.233.169.99), 64 hops max, 60 byte packets
<removed some hops here on purpose>
9 216.239.48.108 (216.239.48.108) 14.780 ms 19.313 ms 16.400 ms
10 64.233.175.111 (64.233.175.111) 16.388 ms 64.233.175.109 (64.233.175.109) 18.220 ms 17.279 ms
11 216.239.49.149 (216.239.49.149) 16.927 ms 216.239.49.145 (216.239.49.145) 18.281 ms 216.239.49.149 (216.239.49.149) 19.312 ms
12 yo-in-f99.google.com (64.233.169.99) 15.279 ms 15.314 ms 20.127 ms
Note: Use -I to use ICMP ECHO instead of UDP. You can also use -n to avoid dns lookups for each hop.
Leave a comment