Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2068
Views
5
Helpful
3
Replies

traceroute is not working in Next generation firewall.

mphasis infosec
Level 1
Level 1

‎04-29-2014 07:58 AM - edited ‎03-11-2019 09:08 PM

Hi

I have tried to allow traceroute for one PC for the testing purpose, but it is not working

Model : ASA 5515x Version : 9.12

 

And also allowed below access list, but still user getting * * *

 

access-list acl_out line 1 permit icmp any any echo-reply
access-list acl_out line 1 permit icmp any any time-exceeded
access-list acl_out line 1 permit icmp any any traceroute
access-list acl_out line 1 permit icmp any any time-exceeded
access-list acl_out line 1 permit icmp any any unreachable

access-list acl_in line 1 permit icmp any any unreachable
access-list acl_in line 1 permit icmp any any time-exceeded
access-list acl_in line 1 permit icmp any any traceroute
access-list acl_in line 1 permit icmp any any echo-reply
access-list acl_in line 1 permit icmp any any time-exceeded

access-group acl_out in interface inside

access-group acl_in  in interface outside

Fixup protocol icmp
Fixup protocol icmp-error

Labels:
0 Helpful
3 Replies 3

Marvin Rhoads
Hall of Fame
Hall of Fame

‎04-29-2014 05:47 PM

Your acl_out isn't allowing the inside user's echo requests. That's the fundamental packet that they would be sending as the initiator of a ping.

     access-list acl_out line 1 permit icmp any any echo

It would be easier to just allow all icmp outbound:

     access-list acl_out line 1 permit icmp any any

Of course, any access-list on the inside interface will then create an implicit deny for all other traffic. Without one, any inside-initiated to outside flows are allowed.

0 Helpful

jumora
Level 7
Level 7
In response to Marvin Rhoads

‎04-30-2014 02:32 PM

If you are actually just configuring ACL as a test then I would suggest to check logs to see what is built for any future troubleshooting so you can understand what is go through the ASA.

 

FYI: Inspection rule allows traceroute and you don't need ACLs from a higher security interface to a lower one.

 

Also check the next link:

 

ASA/PIX/FWSM: Handling ICMP Pings and Traceroute

 

http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/15246-31.html

Value our effort and rate the assistance!

jumora
Level 7
Level 7

‎05-19-2014 12:11 PM

Hey could you please mark the ticket as answered.

Value our effort and rate the assistance!
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card