I have 5512 with 8.6 and I need to allow traceroute through it for troubleshooting purposes. As Inbound traffic has to be allowed specifically for original address on 8.6, do I have to allow entire Inside subnet in case I want my entire subnet to be able to make traceroutes?
I have tried enabling inspection ICMP as well as allowing inbound time-exceeded replies for Natted IP, but no avail.
Is there any standard best Practice for such scenarios? Because allowing inbound icmp/time-exceeded on original IP address is working here.
Thanks for reading it and your valuable suggestions :)