The instruction "Accomodate

network770 · ‎06-17-2011

we need to be able to traceroute to the internet through the asa, but when the traffic hits the asa i then get requst time out.

i can ping but not traceroute, is there an easy fix?

Maykol Rojas · ‎06-17-2011

Hi,

ciscoasa#config t 
ciscoasa(config)#access-list internal-out permit icmp any any echo-reply 
ciscoasa(config)#access-list internal-out permit icmp any any time-exceeded 
ciscoasa(config)#access-list internal-out permit icmp any any unreachable 
ciscoasa(config)#policy-map global_policy 
ciscoasa(config-pmap)#class inspection_default 
ciscoasa(config-pmap-c)#
inspect icmp
 
ciscoasa(config-pmap-c)#
inspect icmp error
 
ciscoasa(config-pmap-c)#end 
ciscoasa(config)#service-policy global_policy global
ciscoasa(config)#access-group internal-out in interface outside

Accomodate the access list name to the one that you have on the outside.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml

Mike

manish arora · ‎06-17-2011

You will one extra line to what Mike said :-

ciscoasa(config)#access-list internal-out permit icmp any any traceroute

Manish

jeffkim.cisco · ‎01-09-2017

this will not bring down the network?

internal-out ACL has deny any any at the end.

So, would it block all the traffics except icmp?

Marvin Rhoads · ‎01-09-2017

The instruction "Accomodate the access list name to the one that you have on the outside." menas you would add those lines to an existing ACL that is already applied on the outside interface.

Anu M Chacko · ‎06-17-2011

Hi,

Did you strictly follow the following document:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml#trace

The following might help:

https://supportforums.cisco.com/docs/DOC-1636

Also, make sure you have inspect icmp and inspect icmp error turned on.

Regards,

Anu

cannot traceroute through the asa