There are three steps to enable traceroute:
- In policy map „global_policy“ in class „inspection_default“ you need to add „inspect icmp“ and „inspect icmp error“
- In policy map „global_policy“ in class „class_default“ you need to add „set connection decrement-ttl“
- On your oudside interface, you need add access list, that permits ICMP with „time-exceeded“ on ingress direction
There is code, that you can paste in your ASA firewall:
policy-map global_policy
class inspection_default
inspect icmp
inspect icmp error
exit
class class-default
set connection decrement-ttl
exit
exit
access-list OUTSIDE-IN extended permit icmp any any time-exceeded
ok