02-12-2013 09:56 PM - edited 03-11-2019 06:00 PM
Hi,
I want to allow traceroute & Ping from ASA's Outside Interface to Inside Interface.
Pls share the details
02-12-2013 11:41 PM
IF you want to allow ping from INSIDE to OUTSIDE,
For ping, inspect ICMP should work,
For traceroute, you have to add below acl on outside interface(inbound)
access-list ICMP extended permit icmp any any unreachable
access-list ICMP extended permit icmp any any time-exceeded
access-list ICMP extended permite icmp any any echo-reply
IF the direction is from OUTSIDE to INSIDE, then,
For ping, you have to add one more entry.
access-list ICMP extended permit icmp any any echo
For traceroute, if it is windows Tacert, then nothing else to add, but if it's Cisco ios or Linux, then it's a bit complex as they typically addressed to a pseudorandom high port, AFAIK, it's difficult to precisely define, have to use some more general acl.
Regards
XIE
02-19-2013 07:08 PM
For ping, make sure to have the icmp inspection enabled.
For traces, create a new class-map just for the ICMP traffic, associate it to the default policy-map and use this command:
"set connection decrement-ttl".
I.e
Access-list ICMP-list permit icmp any any
Class-map ICMP-class
match access-list ICMP-list
Policy-map global_policy
class ICMP-class
set connection decrement-ttl
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide