Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
547
Views
0
Helpful
2
Replies

Revisited, public servers, protocol and port restriction on outside interface

Go to solution
miles0001
Level 1
Level 1

‎07-19-2013 11:52 AM - edited ‎03-11-2019 07:14 PM

Hi folks,

Recently, I got help by Jouni restricting port access from the outside. Previously, I allowed IP, and ICMP from outside, and for example traceroute displayed the router names/addresses. After only allowing those ports open that correspond to internal servers, traceroute stopped working.

How can I get traceroute information, while locking down all irrelevant ports?

Best regards,

Peter

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎07-20-2013 04:23 AM

Hi,

You could start by checking if you have the following configurations

Issue the following command to see what inspections you have enabled

show run policy-map

Check if you have any "icmp" related inspections enabled. If not, then add the following to the same section where the rest of them are

inspect icmp error

inspect icmp

Also add the following statements to your ACL that is attached to your "outside" interface ACL

access-list OUTSIDE-IN line 1 remark Allow ICMP Return messages

access-list OUTSIDE-IN line 2 permit icmp any any unreachable

access-list OUTSIDE-IN line 3 permit icmp any any time-exceeded

Naturally your "outside" interface ACL was named differently so use that name instead. I inserted "line" numbers as I typically keep these rules at the very top of the ACL.

You might notice on the traceroutes taken from a host that the ASA will still not show up in the traceroute. There is a configuration that will allow the ASA to show up in traceroutes also but I dont typically enable it myself.

- Jouni

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎07-20-2013 04:23 AM

Hi,

You could start by checking if you have the following configurations

Issue the following command to see what inspections you have enabled

show run policy-map

Check if you have any "icmp" related inspections enabled. If not, then add the following to the same section where the rest of them are

inspect icmp error

inspect icmp

Also add the following statements to your ACL that is attached to your "outside" interface ACL

access-list OUTSIDE-IN line 1 remark Allow ICMP Return messages

access-list OUTSIDE-IN line 2 permit icmp any any unreachable

access-list OUTSIDE-IN line 3 permit icmp any any time-exceeded

Naturally your "outside" interface ACL was named differently so use that name instead. I inserted "line" numbers as I typically keep these rules at the very top of the ACL.

You might notice on the traceroutes taken from a host that the ASA will still not show up in the traceroute. There is a configuration that will allow the ASA to show up in traceroutes also but I dont typically enable it myself.

- Jouni

0 Helpful

Go to solution
miles0001
Level 1
Level 1
In response to Jouni Forss

‎07-20-2013 06:25 AM

Thanks! Now it's working nicely!

Have a nice day :-)

Peter

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card