Cisco Systems ASA 5545-X, ASA 5555-X, ASA 5580, ASA 5585-X, ASA Services Module, ASA 5505 Determining Packet Routing with Traceroute

24-6

Cisco ASA Series Firewall ASDM Configuration Guide

Chapter24 Troubleshooting Connections and Resources

Testing Your Configuration

Determining Packet Routing with Traceroute

The Traceroute tool helps you to determine the route that packets will take to their destination. The tool

prints the result of each probe sent. Every line of output corresponds to a TTL value in increasing order.

The following table lists the output symbols printed by this tool.

To use the Traceroute tool, perform the following steps:

Step1 In the main ASDM application window, choose Tools > Traceroute.

The Traceroute dialog box appears.

Step2 Enter hostname or IP address to which the route is traced. If the hostname is given, define it by choosing

Configuration > Firewall > Objects > Service Objects/Groups, or configure a DNS server to enable

this tool to resolve the hostname to an IP address.

Step3 Enter the amount of time in seconds to wait for a response before the connection times out. The default

is three seconds.

Step4 Type the destination port used by the UDP probe messages. The default is 33434.

Step5 Enter the number of probes to be sent at each TTL level. The default is three.

Step6 Specify the minimum and maximum TTL values for the first probes. The minimum default is one, but it

can be set to a higher value to suppress the display of known hops. The maximum default is 30. The

traceroute terminates when the packet reaches the destination or when the maximum value is reached.

Step7 Check the Specify source interface or IP address check box. Choose the source interface or IP address

for the packet trace from the drop-down list. This IP address must be the IP address of one of the

interfaces. In transparent mode, it must be the management IP address of the ASA.

Step8 Check the Reverse Resolve check box to have the output display the names of hops encountered if name

resolution is configured. Leave this check box unchecked to have the output display IP addresses.

Step9 Check the Use ICMP check box to specify the use of ICMP probe packets instead of UDP probe packets.

Step10 Click Trace Rout e to start the traceroute.

The Traceroute Output area displays detailed messages about the traceroute results.

Step11 Click Clear Output to start a new traceroute.

Output Symbol Description

* No response was received for the probe within the timeout period.

nn msec For each node, the round-trip time (in milliseconds) for the specified number of

probes.

!N. ICMP network unreachable.

!H ICMP host unreachable.

!P ICMP unreachable.

!A ICMP administratively prohibited.

? Unknown ICMP error.

Cisco Systems Determining Packet Routing with Traceroute