04-29-2014 07:58 AM - edited 03-11-2019 09:08 PM
Hi
I have tried to allow traceroute for one PC for the testing purpose, but it is not working
Model : ASA 5515x Version : 9.12
And also allowed below access list, but still user getting * * *
access-list acl_out line 1 permit icmp any any echo-reply
access-list acl_out line 1 permit icmp any any time-exceeded
access-list acl_out line 1 permit icmp any any traceroute
access-list acl_out line 1 permit icmp any any time-exceeded
access-list acl_out line 1 permit icmp any any unreachable
access-list acl_in line 1 permit icmp any any unreachable
access-list acl_in line 1 permit icmp any any time-exceeded
access-list acl_in line 1 permit icmp any any traceroute
access-list acl_in line 1 permit icmp any any echo-reply
access-list acl_in line 1 permit icmp any any time-exceeded
access-group acl_out in interface inside
access-group acl_in in interface outside
Fixup protocol icmp
Fixup protocol icmp-error
04-29-2014 05:47 PM
Your acl_out isn't allowing the inside user's echo requests. That's the fundamental packet that they would be sending as the initiator of a ping.
access-list acl_out line 1 permit icmp any any echo
It would be easier to just allow all icmp outbound:
access-list acl_out line 1 permit icmp any any
Of course, any access-list on the inside interface will then create an implicit deny for all other traffic. Without one, any inside-initiated to outside flows are allowed.
04-30-2014 02:32 PM
If you are actually just configuring ACL as a test then I would suggest to check logs to see what is built for any future troubleshooting so you can understand what is go through the ASA.
FYI: Inspection rule allows traceroute and you don't need ACLs from a higher security interface to a lower one.
Also check the next link:
http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/15246-31.html
05-19-2014 12:11 PM
Hey could you please mark the ticket as answered.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide