cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6382
Views
4
Helpful
4
Replies

traceroute through an ASA

walter1972
Level 1
Level 1

I'm trying to permit tracetoute (from an internal server) through my ASA to any host on the outside. So far I can only find information relating to traceroute to show the ASA...

policy-map global_default

class class-default

set connection decrement-ttl

icmp unreachables rate-limit 10 burst-size 5

icmp permit any outside

icmp permit any inside

access-list OUTSIDE_IN permit icmp any any

access-group OUTSIDE_IN in interface outside

How can I simply allow traceroute through the ASA - do I need to look into setting up an access-list for the Unix/Windows traceroute ports?

Perhaps someone can post a similar examle for me?

Many thanks!!!

4 Replies 4

JORGE RODRIGUEZ
Level 10
Level 10

Try this

example from link bellow

remove

no access-list OUTSIDE_IN permit icmp any any

add

access-list OUTSIDE_IN permit icmp any any echo-reply

access-list OUTSIDE_IN permit icmp any any source-quench

access-list OUTSIDE_IN permit icmp any any unreachable

access-list OUTSIDE_IN permit icmp any any time-exceeded

access-group OUTSIDE_IN in interface outside

policy-map global_policy

class inspection_default

inspect icmp

Reference this link for more details on how PIX/ASA handles ICMP and traceroutes.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml#topic0