Traceroute behind an ASA firewall...

Unanswered Question
Sep 7th, 2007
User Badges:

Hello,

We are a windows 2003 network and use an ASA firewall. We can trace route from the ASA device but not at our desktops...do you know the syntax we need to add this to our outside access-lists? TIA, Gary

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
hsajwan Fri, 09/07/2007 - 14:47
User Badges:

rather, you can also open complete icmp by using "permit icmp any any" on the outside interface access-list

a.alekseev Sat, 09/08/2007 - 00:10
User Badges:
  • Gold, 750 points or more

conf t

policy-map global_policy

class inspection_default

inspect icmp

inspect icmp error



GRANT GATHAGAN Tue, 10/02/2007 - 21:48
User Badges:

I still can't run traceroute through my ASA, even though it's configured as shown:


policy-map global_policy

class inspection_default

inspect icmp error

inspect icmp

!

service-policy global_policy global


I've issued the "clear x" command and even tried adding the following commands:


icmp permit any Outside

icmp permit any Inside



When I try "tracert yahoo.com", this is what the ASDM log shows (note that I've reversed the order to show earliest message first):


Oct 02 2007 19:26:36 302020:Built ICMP connection for faddr 66.94.234.13/0 gaddr (outside IP address) laddr (inside address)

Oct 02 2007 19:26:36 106014:Deny inbound icmp src Outside:(gateway address) dstInside:(outside IP address)(type 11,code 0)

Oct 02 2007 19:26:38 302021:Teardown ICMP connection for faddr 66.94.234.13/0 gaddr (outside IP address) laddr (inside address)



I can place a computer on the same public IP subnet that the outside interface of the ASA resides on and get traceroutes to work without issue, I know the problem lies with the ASA.

GRANT GATHAGAN Thu, 10/11/2007 - 21:45
User Badges:

Interestingly enough, I tried using the ACL method:

access-list 101 permit icmp any any echo-reply

access-list 101 permit icmp any any source-quench

access-list 101 permit icmp any any unreachable

access-list 101 permit icmp any any time-exceeded

access-group 101 in interface outside

instead of the global policy method, and that worked fine.


Go figure...

Actions

This Discussion