- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-11-2013 08:42 PM - edited 03-11-2019 06:56 PM
I changed from a Linksys E4200 to a 5505 and when I use trace route, it doesn't return a DNS name for each hop. I can see the hops shown as asterisks. Do I have to add something to inspect for this to work?
Solved! Go to Solution.
- Labels:
-
NGFW Firewalls
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-12-2013 03:35 AM
Hi,
You could try the following. (Depending if your "policy-map" configuration is as its default settings)
policy-map global_policy
class inspection_default
inspect icmp error
inspect icmp
Then you could add the following to your ACL attached to your "outside" interface or configure a new ACL to your "outside" interface if it doesnt yet exist
access-list OUTSIDE-IN remark Allow ICMP return messages
access-list OUTSIDE-IN permit icmp any any unreachable
access-list OUTSIDE-IN permit icmp any any time-exceeded
access-list OUTSIDE-IN permit icmp any any echo-reply
access-group OUTSIDE-IN in interface outside
You will naturally use the existing ACL if you have one. If no ACL exists you can use the above configuration as it is.
Hope this helps
Please remember to mark the reply as the correct answer if it answered your question.
Ask more if needed
- Jouni
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-12-2013 03:35 AM
Hi,
You could try the following. (Depending if your "policy-map" configuration is as its default settings)
policy-map global_policy
class inspection_default
inspect icmp error
inspect icmp
Then you could add the following to your ACL attached to your "outside" interface or configure a new ACL to your "outside" interface if it doesnt yet exist
access-list OUTSIDE-IN remark Allow ICMP return messages
access-list OUTSIDE-IN permit icmp any any unreachable
access-list OUTSIDE-IN permit icmp any any time-exceeded
access-list OUTSIDE-IN permit icmp any any echo-reply
access-group OUTSIDE-IN in interface outside
You will naturally use the existing ACL if you have one. If no ACL exists you can use the above configuration as it is.
Hope this helps
Please remember to mark the reply as the correct answer if it answered your question.
Ask more if needed
- Jouni
