Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1706
Views
0
Helpful
5
Replies

Cisco 3750 Switch does not allow ICMP traffic

Edward M.
Level 1
Level 1

‎08-06-2021 09:46 AM

Dear All, 

 

I am junior network administrator and pretty new in cisco networking world.

I'm not quite sure why my Cisco 3750 switch do not pass the ICMP/traceroute traffic.

 

I have ASA Firewall A which is connected to ASA Firewall B through a Cisco Switch between which does routing for LANs behind the firewalls. The routing and required ACLs are configured on both firewalls, and there is no ACL configured on the switch. 

I have one Windows VM running behind Firewall B and I can access the LAN and ping nodes behind firewall A from the VM, 

but when I trace route the same nodes, it stocks on Cisco switch and it does not pass it to firewall A as next hop.

 

Appreciate your advise and help.

Thanks

Ed

Labels:
0 Helpful
5 Replies 5

Elliot Dierksen
VIP
VIP

‎08-06-2021 10:34 AM - edited ‎08-06-2021 10:35 AM

If you see the IP of the 3750, that means it responded. By default, ASA firewalls do not respond/participate to traceroute requests. You would also need to make sure that the lower security interface of the ASA permits ICMP unreachable for traceroute to work correctly through it.

0 Helpful

Edward M.
Level 1
Level 1
In response to Elliot Dierksen

‎08-06-2021 11:25 AM - edited ‎08-06-2021 11:26 AM

Dear Elliot, Thanks for your reply.

I do see the 3750 IP in trace route output,  and I assume that it has passed the firewall B already even though I don't see the FW B interface IP.

I have also ACLs on both interface of FW A allowing ICMP traffic for both ping and traceroute, but still no joy.

0 Helpful

Elliot Dierksen
VIP
VIP
In response to Edward M.

‎08-06-2021 11:57 AM

It isn't traceroute that you need to allow, it is time-exceeded. I mispoke in the first post. The response in trace route is a time-exceeded ICMP packet which must be explicitly permitted in the ACL of the lower security interface.

0 Helpful

Edward M.
Level 1
Level 1
In response to Elliot Dierksen

‎08-06-2021 01:21 PM

Thanks Ellliot,

I added the  icmp/time-exceeded to the ACL on all interfaces of FW A.

So I have icmp, icmp/time-exceeded, icmp/traceroute, icmp/unreachable but still no joy.

 

0 Helpful

Elliot Dierksen
VIP
VIP
In response to Edward M.

‎08-06-2021 01:54 PM

In the asa's, do "debug icmp trace" and see what output you get. Have a CLI session open to both ASA's that are part of the path. That should give you an idea what is happening.

0 Helpful
Customers Also Viewed These Support Documents