Re: Allow traceroute & Ping from ASA's Outside Interface to Insi

accenture-bang2 · ‎02-12-2013

Hi,

I want to allow traceroute & Ping from ASA's Outside Interface to Inside Interface.

Pls share the details

XIE YAO · ‎02-12-2013

IF you want to allow ping from INSIDE to OUTSIDE,

For ping, inspect ICMP should work,

For traceroute, you have to add below acl on outside interface(inbound)

access-list ICMP extended permit icmp any any unreachable

access-list ICMP extended permit icmp any any time-exceeded

access-list ICMP extended permite icmp any any echo-reply

IF the direction is from OUTSIDE to INSIDE, then,

For ping, you have to add one more entry.

access-list ICMP extended permit icmp any any echo

For traceroute, if it is windows Tacert, then nothing else to add, but if it's Cisco ios or Linux, then it's a bit complex as they typically addressed to a pseudorandom high port, AFAIK, it's difficult to precisely define, have to use some more general acl.

Regards

XIE

jocamare · ‎02-19-2013

For ping, make sure to have the icmp inspection enabled.

For traces, create a new class-map just for the ICMP traffic, associate it to the default policy-map and use this command:

"set connection decrement-ttl".

I.e

Access-list ICMP-list permit icmp any any

Class-map ICMP-class

match access-list ICMP-list

Policy-map global_policy

class ICMP-class

set connection decrement-ttl

Allow traceroute & Ping from ASA's Outside Interface to Inside Interface