Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
629
Views
0
Helpful
5
Replies

ping & tracerout through firewall

ronshuster
Level 1
Level 1

‎12-16-2008 07:42 AM - edited ‎03-11-2019 07:26 AM

I am trying to get a few workstations to ping and traceroute to the Internet via an ASA5520. I have a permit ip any any for all incoming traffic hitting the inside interface and still unable to ping\traceroute the Internet.

any idea?

Labels:
0 Helpful
5 Replies 5

ajagadee
Cisco Employee
Cisco Employee

‎12-16-2008 08:15 AM

Roni,

It is hard to say what is wrong without the configuration. Have you already configured the NAT, ACL, etc and also you mention few clients, does this mean the other workstations are working. I hope the below URL helps:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml

Regards,

Arul

*Pls rate if it helps*

0 Helpful

ronshuster
Level 1
Level 1
In response to ajagadee

‎12-16-2008 08:23 AM

Our internet access works perfectly ok from a NAT & PAT & ACL stand point... only thing is that we cannot ping & traceroute to the Internet.

I have a permit ip any any on all traffic incoming the INSIDE interface. Is that sufficient or do I need to apply the following as well:

access-list 101 permit icmp any any echo-reply

access-list 101 permit icmp any any source-quench

access-list 101 permit icmp any any unreachable

access-list 101 permit icmp any any time-exceeded

0 Helpful

ronshuster
Level 1
Level 1
In response to ronshuster

‎12-16-2008 08:46 AM

I just ran a packet capture, results:

RESULTS - The packet is dropped

Info : (rpf violated) Reverse-path verify failed

I tried to remove the following but still unable to ping:

ip verify reverse-path interface Outside

ip verify reverse-path interface Inside

0 Helpful

nefkensp
Level 5
Level 5
In response to ronshuster

‎12-16-2008 01:08 PM

If you're using the asa, you also need to configure the ICMP inspection using the icmp permit command set;

e.g.

icmp permit any inside

icmp permit echo-reply outside

icmp permit unreachable outside

icmp permit traceroute outside

HTH

P-J Nefkens

0 Helpful

ajagadee
Cisco Employee
Cisco Employee
In response to ronshuster

‎12-16-2008 02:23 PM

Hi,

The above lines need to be applied on the outside interface.

access-list 101 permit icmp any any echo-reply

access-list 101 permit icmp any any source-quench

access-list 101 permit icmp any any unreachable

access-list 101 permit icmp any any time-exceeded

access-group 101 in interface outside

OR

The other option is to enable inspection:

For example:

policy-map global_policy

class inspection_default

inspect icmp

Please refer the below URL for details:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml

Regards,

Arul

*Pls rate if it helps*

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card