Allowing traceroutes though the ASA firewall

I'm really not going to document anything here but to point you to this blog post. Its one of the best i've ever read. Easy to follow and provides the output for you to see!

//create an ACL that permits the incoming ICMP

access-list outside_access_in remark ICMP type 11 for Windows Traceroute

access-list outside_access_in extended permit icmp any any time-exceeded

access-list outside_access_in remark ICMP type 3 for Cisco and Linux

access-list outside_access_in extended permit icmp any any unreachable

//bind the ACL to the outside interface

access-group outside_access_in in interface outside

ciscoasa(config)# policy-map global_policy

ciscoasa(config-pmap)# class class-default

ciscoasa(config-pmap-c)# set connection decrement-ttl

ciscoasa(config)# icmp unreachable rate-limit 10 burst-size 5