ping and traceroute on multiple context mode not working (security appliance)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-24-2009 09:38 AM - edited 03-11-2019 09:42 AM
Hi
I can not make work ping & traceroute in multiple context mode
I have configured two context context1 & context2. the second one have several vlan and servers behind. Then I added the lines below to test if servers behind the security appliance(context2) are on line
access-list outside_access_in extended permit icmp any any time-exceeded log disable
access-list outside_access_in extended permit icmp any any echo-reply log disable
access-group outside_access_in in interface outside
This works fine in single mode but it seems to have no effect in multiple context mode
is there something missing?
Any ideas?
Thanks
- Labels:
-
NGFW Firewalls
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-24-2009 12:05 PM
Osavldo
It's a little unclear but echo-reply would presume you are pinging from the servers. If you are trying to ping the servers from the outside then it should be echo-request not echo-reply.
Jon

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-24-2009 12:29 PM
enable icmp and icmp error inspection on both contexts.
what the logs on both contexts.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-25-2009 08:39 AM
Ok, thanks very much
I changed my rules to:
access-list outside_access_in extended permit icmp any any traceroute
access-list outside_access_in extended permit icmp any any echo
the ping command now work but not the traceroute
Thanks

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-25-2009 09:35 AM
Are you sure you have all of this inplace?
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml#trace
