07-15-2009 11:08 AM - edited 03-11-2019 08:55 AM
I'm trying to permit tracetoute (from an internal server) through my ASA to any host on the outside. So far I can only find information relating to traceroute to show the ASA...
policy-map global_default
class class-default
set connection decrement-ttl
icmp unreachables rate-limit 10 burst-size 5
icmp permit any outside
icmp permit any inside
access-list OUTSIDE_IN permit icmp any any
access-group OUTSIDE_IN in interface outside
How can I simply allow traceroute through the ASA - do I need to look into setting up an access-list for the Unix/Windows traceroute ports?
Perhaps someone can post a similar examle for me?
Many thanks!!!
07-15-2009 12:48 PM
Try this
example from link bellow
remove
no access-list OUTSIDE_IN permit icmp any any
add
access-list OUTSIDE_IN permit icmp any any echo-reply
access-list OUTSIDE_IN permit icmp any any source-quench
access-list OUTSIDE_IN permit icmp any any unreachable
access-list OUTSIDE_IN permit icmp any any time-exceeded
access-group OUTSIDE_IN in interface outside
policy-map global_policy
class inspection_default
inspect icmp
Reference this link for more details on how PIX/ASA handles ICMP and traceroutes.
Additionaly , would not recommend having icmp permit any outside unless you are testing ICMP on outside interface.. your outside interface will be pingable from any source from outside.
this should be no impact in disabling icmp on outside interface.
no icmp permit any outside
icmp deny any outside
Regards
07-15-2009 06:18 PM
you can add
inspect icmp error
in addition to inspect icmp
and only allow
access-list OUTSIDE_IN permit icmp any any unreachable
access-list OUTSIDE_IN permit icmp any any time-exceeded
via acl.
07-16-2009 07:14 AM
So are you saying I don't need the set connection decrement-ttl command?
Also I have seen this ACL mentioned in another post:
access-list outside_access_in line 3 permit udp host x.x.x.x object-group TCP-UDP host x.x.x.x object-group TCP-UDP
access-list outside_access_in line 3 permit udp host x.x.x.x eq echo host x.x.x.x eq echo (hitcnt=0)
access-list outside_access_in line 3 permit udp host x.x.x.x eq echo host x.x.x.x range 33400 33600 (hitcnt=0)
access-list outside_access_in line 3 permit udp host x.x.x.x range 33400 33600 host x.x.x.x eq echo (hitcnt=0)
access-list outside_access_in line 3 permit udp host x.x.x.x range 33400 33600 host x.x.x.x range 33400 33600 (hitcnt=0)
Again, is this not necessary?
Thanks for helping everyone!!
07-16-2009 07:41 AM
This command is only required if you want the ASA show as a hop count when doing traceroute.
see guideline(set connection decrement-ttl)
http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/s1_72.html#wp1299054
B.Regards
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide