Solved: Re: Unable to traceroute after icmp filtering

InTheJuniverse · ‎04-02-2021

I have applied the following filtering on ASA public interface so that nobody can ping it from internet, but everything from firewall / lan should be pingable. This is working fine but I realized we can't traceroute anymore. How can I enable traceroute while also keeping this configuration?

icmp permit host x.x.x.x outside (Data center IP)
icmp permit any echo-reply outside

Rob Ingram · ‎04-02-2021

Hi @InTheJuniverse

Are you referring to tracerouting through the ASA or from the ASA?

For traffic "to" the ASA, the ICMP control list, traffic not matched is denied. You'd need to permit ICMP Type 3 (destination unreachable) and 11 (time exceeded).

If you were referring to traffic "through" the ASA, refer to this guide.

View solution in original post

Rob Ingram · ‎04-02-2021

Hi @InTheJuniverse

Are you referring to tracerouting through the ASA or from the ASA?

For traffic "to" the ASA, the ICMP control list, traffic not matched is denied. You'd need to permit ICMP Type 3 (destination unreachable) and 11 (time exceeded).

If you were referring to traffic "through" the ASA, refer to this guide.

InTheJuniverse · ‎04-05-2021

Thank you.

It works.

Strange, because I already had an explicit ACL on the outside interface to permit time exceeded and unreachable, but I believe if I use icmp acl, then everything that I need should be in the icmp acl itself.