02-18-2016 05:49 PM - edited 03-05-2019 07:00 AM
All,
I am using MPLS for all internal traffic and configured a default static route sending internet through an ASA 5506 with a another ISP connected to the WAN port.
This now allows us to use an internet circuit and MPLS for internal data traffic. I am not able to ping or traceroute to the internet, is there an access list that will allow this?
Thanks,
Solved! Go to Solution.
02-18-2016 08:45 PM
For "ping" add it to your global policy. Depending on which flavour of traceroute you use, it may also make it work.
policy-map global_policy
class inspection_default
...
inspect icmp
inspect icmp error
02-18-2016 08:45 PM
For "ping" add it to your global policy. Depending on which flavour of traceroute you use, it may also make it work.
policy-map global_policy
class inspection_default
...
inspect icmp
inspect icmp error
02-19-2016 07:19 AM
That did work for echo-replies. Thanks I was also able to find this access list that enabled ping and traceroutes without the inspect icmp.
access-list outside_tracert extended permit icmp any any time-exceeded
access-list outside_tracert extended permit icmp any any unreachable
02-21-2016 11:23 AM
I would personally use the inspection approach as it means the firewall is at least checking hat traffic, rather than just letting it pass straight through.
It would be great if you could rate the responses (or make them as correct) if they helped.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide