Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2149
Views
0
Helpful
5
Replies

Traceroute "Deny inbound icmp"

Go to solution
Delmiro Campelo
Level 1
Level 1

‎03-29-2013 06:21 PM - edited ‎03-11-2019 06:21 PM

Hi,

I'm having difficulties with getting traceroute to work from inside to outside. Regular pings work fine, but not traceroute. I thought the icmp inspection would allow alll icmp traffic, I have icmp inspection on globally as well as inside interface.

Commands:

policy-map global_policy-map

class global_class-map

  inspect icmp

  inspect icmp error

policy-map inside_policy-map

class inside_class-map

  inspect icmp

  inspect icmp error

service-policy global_policy-map global

service-policy inside_policy-map interface inside

icmp permit any outside

Here is the output:

On the Real-Time Log Viewer:

3Deny inbound icmp src outside:4.69.150.77 dst inside:10.0.1.68 (type 11, code 0)

Thanks for your help

Delmiro

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

‎03-29-2013 09:15 PM

Hello Delmiro,

I would guess you already have an ACL on the outside interface of your ASA to allow some traffic from OUT to IN right?

Well let's say that the ACL is called Outside_In

Perfom the following to make this happen

access-list Outside_In permit icmp any any eq time-exceeded

Then give it a try and let us know

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

‎03-29-2013 09:15 PM

Hello Delmiro,

I would guess you already have an ACL on the outside interface of your ASA to allow some traffic from OUT to IN right?

Well let's say that the ACL is called Outside_In

Perfom the following to make this happen

access-list Outside_In permit icmp any any eq time-exceeded

Then give it a try and let us know

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
Delmiro Campelo
Level 1
Level 1
In response to Julio Carvajal

‎03-30-2013 05:56 AM

Thank you that worked perfectly! I have a  question, I thought that ICMP inspection would dynamically open up the necessary for port all icmp traffic?

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to Delmiro Campelo

‎03-30-2013 12:45 PM

Hello Delmiro,

Amazing to hear that I could help someone else

Let me explain you this:

ICMP inspection : This command will convert the ICMP protocol into a stateful protocol but it will work with the basic icmp echo and echo reply , it will check the ICMP ID and place it into it's stateful table waiting for a reply...

In our scenario we are sending from a windows machine ICMP echo paquets with a TTL of 1 and keeps growing as it keeps moving BUT the reply will be an ICMP unreachable which the ASA will not be expecting then dropping it..

Hope that you could understand, if you do not have any other question please mark it as answered

If not let me know an I will do it one more time

Remember to rate all of the helpful posts ( by marking the stars at the left 5 being amazing 1 being the worst answer ever )

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
Delmiro Campelo
Level 1
Level 1
In response to Julio Carvajal

‎03-30-2013 02:27 PM

I appreciate your help, it makes sense now, thanks.

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to Delmiro Campelo

‎03-30-2013 03:19 PM

Sure Delmiro,

Have a good one

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card