cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2034
Views
5
Helpful
3
Replies

traceroute is not working in Next generation firewall.

mphasis infosec
Level 1
Level 1

Hi

I have tried to allow traceroute for one PC for the testing purpose, but it is not working

Model : ASA 5515x Version : 9.12

 

And also allowed below access list, but still user getting * * *

 

access-list acl_out line 1 permit icmp any any echo-reply
access-list acl_out line 1 permit icmp any any time-exceeded
access-list acl_out line 1 permit icmp any any traceroute
access-list acl_out line 1 permit icmp any any time-exceeded
access-list acl_out line 1 permit icmp any any unreachable

access-list acl_in line 1 permit icmp any any unreachable
access-list acl_in line 1 permit icmp any any time-exceeded
access-list acl_in line 1 permit icmp any any traceroute
access-list acl_in line 1 permit icmp any any echo-reply
access-list acl_in line 1 permit icmp any any time-exceeded

access-group acl_out in interface inside

access-group acl_in  in interface outside

Fixup protocol icmp
Fixup protocol icmp-error

3 Replies 3

Marvin Rhoads
Hall of Fame
Hall of Fame

Your acl_out isn't allowing the inside user's echo requests. That's the fundamental packet that they would be sending as the initiator of a ping.

     access-list acl_out line 1 permit icmp any any echo

It would be easier to just allow all icmp outbound:

     access-list acl_out line 1 permit icmp any any

Of course, any access-list on the inside interface will then create an implicit deny for all other traffic. Without one, any inside-initiated to outside flows are allowed.

If you are actually just configuring ACL as a test then I would suggest to check logs to see what is built for any future troubleshooting so you can understand what is go through the ASA.

 

FYI: Inspection rule allows traceroute and you don't need ACLs from a higher security interface to a lower one.

 

Also check the next link:

 

ASA/PIX/FWSM: Handling ICMP Pings and Traceroute

 

http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/15246-31.html

Value our effort and rate the assistance!

jumora
Level 7
Level 7

Hey could you please mark the ticket as answered.

Value our effort and rate the assistance!
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: