I come today with some funny/tricky ACL issue.
I have this classic setup:
- ASA (default route to the router) <----> 4000 series ISR router
- ISR router has two interfaces Gi0/0 toward ASA and Gi0/1 toward ISP
- default route is installed on ISR router from Gi0/1 with next hop: ISP_IP
- ACL is applied on Gi0/1 on the IN direction (and that's the only ACL I am using)
show run | i access-group
ip access-group BOUNDARY-IPV4-ACL in
- I want to enable ICMP traceroute from a PC behind ASA (I have taken care of ASA config) to Internet
- if I remove the ACL from Gi0/1 traceroute shows as expected including ISP_IP
- with the ACL on, I see all hops but the ISP_IP
140 deny icmp any any fragments
180 permit icmp any any echo-reply (46782 matches)
190 permit icmp any any unreachable (536737 matches)
200 permit icmp any any time-exceeded (2770525 matches)
205 permit icmp any any traceroute
210 permit icmp any any packet-too-big
230 deny icmp any any (160680 matches)
What am I missing, guys?
From my experience UDP 137 is also used when tracerouting
EDIT: Have you tried adding a temporary ACE at the top of the ACL, permitting ip host ISP_IP any log and observe the output?
Believe it or not that "deny ip any any" was hindering traceroute. I had allowed traffic from the NAT IP that hits the router and it works.
Thanks again RJI!