Solved: I would personally use the

eddie.sardinha · ‎02-18-2016

All,

I am using MPLS for all internal traffic and configured a default static route sending internet through an ASA 5506 with a another ISP connected to the WAN port.

This now allows us to use an internet circuit and MPLS for internal data traffic. I am not able to ping or traceroute to the internet, is there an access list that will allow this?

Thanks,

Philip D'Ath · ‎02-18-2016

For "ping" add it to your global policy. Depending on which flavour of traceroute you use, it may also make it work.

policy-map global_policy
 class inspection_default
  ...
 inspect icmp 
 inspect icmp error

View solution in original post

Philip D'Ath · ‎02-18-2016

For "ping" add it to your global policy. Depending on which flavour of traceroute you use, it may also make it work.

policy-map global_policy
 class inspection_default
  ...
 inspect icmp 
 inspect icmp error

eddie.sardinha · ‎02-19-2016

That did work for echo-replies. Thanks I was also able to find this access list that enabled ping and traceroutes without the inspect icmp.

access-list outside_tracert extended permit icmp any any time-exceeded
access-list outside_tracert extended permit icmp any any unreachable

Philip D'Ath · ‎02-21-2016

I would personally use the inspection approach as it means the firewall is at least checking hat traffic, rather than just letting it pass straight through.

It would be great if you could rate the responses (or make them as correct) if they helped.

Ping and Traceroute with MPLS and ASA for internet