04-29-2014 07:58 AM - edited 03-11-2019 09:08 PM
Hi
I have tried to allow traceroute for one PC for the testing purpose, but it is not working
Model : ASA 5515x Version : 9.12
And also allowed below access list, but still user getting * * *
access-list acl_out line 1 permit icmp any any echo-reply
access-list acl_out line 1 permit icmp any any time-exceeded
access-list acl_out line 1 permit icmp any any traceroute
access-list acl_out line 1 permit icmp any any time-exceeded
access-list acl_out line 1 permit icmp any any unreachable
access-list acl_in line 1 permit icmp any any unreachable
access-list acl_in line 1 permit icmp any any time-exceeded
access-list acl_in line 1 permit icmp any any traceroute
access-list acl_in line 1 permit icmp any any echo-reply
access-list acl_in line 1 permit icmp any any time-exceeded
access-group acl_out in interface inside
access-group acl_in in interface outside
Fixup protocol icmp
Fixup protocol icmp-error
04-29-2014 05:47 PM
Your acl_out isn't allowing the inside user's echo requests. That's the fundamental packet that they would be sending as the initiator of a ping.
access-list acl_out line 1 permit icmp any any echo
It would be easier to just allow all icmp outbound:
access-list acl_out line 1 permit icmp any any
Of course, any access-list on the inside interface will then create an implicit deny for all other traffic. Without one, any inside-initiated to outside flows are allowed.
04-30-2014 02:32 PM
If you are actually just configuring ACL as a test then I would suggest to check logs to see what is built for any future troubleshooting so you can understand what is go through the ASA.
FYI: Inspection rule allows traceroute and you don't need ACLs from a higher security interface to a lower one.
Also check the next link:
http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/15246-31.html
05-19-2014 12:11 PM
Hey could you please mark the ticket as answered.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: