Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
280
Views
0
Helpful
1
Replies

Allowing traceroute on ASA 8.6 version

Gagandeep Kumar
Level 1
Level 1

‎05-17-2014 12:21 AM - edited ‎03-11-2019 09:12 PM

I have 5512 with 8.6 and I need to allow traceroute through it for troubleshooting purposes. As Inbound traffic has to be allowed specifically for original address on 8.6, do I have to allow entire Inside subnet in case I want my entire subnet to be able to make traceroutes?

 

I have tried enabling inspection ICMP as well as allowing inbound time-exceeded replies for Natted IP, but no avail.

 

Is there any standard best Practice for such scenarios? Because allowing inbound icmp/time-exceeded on original IP address is working here.

 

Thanks for reading it and your valuable suggestions :)

Labels:
0 Helpful
1 Reply 1

johnlloyd_13
Level 9
Level 9

‎05-17-2014 02:08 AM

hi,

try this:

policy-map global_policy
 class inspection_default
  inspect icmp error  

access-list OUTSIDE-IN extended permit icmp any any time-exceeded     
access-list OUTSIDE-IN extended permit icmp any any unreachable 

access-group OUTSIDE-IN in interface outside

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card