04-02-2021 03:15 AM
I have applied the following filtering on ASA public interface so that nobody can ping it from internet, but everything from firewall / lan should be pingable. This is working fine but I realized we can't traceroute anymore. How can I enable traceroute while also keeping this configuration?
icmp permit host x.x.x.x outside (Data center IP)
icmp permit any echo-reply outside
Solved! Go to Solution.
04-02-2021 07:45 AM
Are you referring to tracerouting through the ASA or from the ASA?
For traffic "to" the ASA, the ICMP control list, traffic not matched is denied. You'd need to permit ICMP Type 3 (destination unreachable) and 11 (time exceeded).
If you were referring to traffic "through" the ASA, refer to this guide.
04-02-2021 07:45 AM
Are you referring to tracerouting through the ASA or from the ASA?
For traffic "to" the ASA, the ICMP control list, traffic not matched is denied. You'd need to permit ICMP Type 3 (destination unreachable) and 11 (time exceeded).
If you were referring to traffic "through" the ASA, refer to this guide.
04-05-2021 05:13 AM
Thank you.
It works.
Strange, because I already had an explicit ACL on the outside interface to permit time exceeded and unreachable, but I believe if I use icmp acl, then everything that I need should be in the icmp acl itself.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide