Configure ASA to allow traceroute responses

Unanswered Question
Feb 7th, 2008

How do you configure the ASA's to allow icmp traceroute responses through the firewall?

Example below:

C:\>tracert -d www.foo.com

Tracing route to www.foo.com [216.234.246.150]

over a maximum of 30 hops:

1 <1 ms <1 ms <1 ms 192.168.10.31 <-- Fictitious ip

2 <1 ms <1 ms <1 ms 192.168.1.1 <-- Fictitious ip

3 * * * Request timed out.

4 * * * Request timed out.

5 * * * Request timed out.

6 * * * Request timed out.

7 * * * Request timed out.

8 16 ms 16 ms 16 ms 216.234.246.150

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
1cmerchant Fri, 02/08/2008 - 05:46

Here is one way to do it:

access-list Outside_In extended permit icmp any any unreachable

access-list Outside_In extended permit icmp any any time-exceeded

access-list Outside_In extended permit icmp any any echo-reply

swharvey Fri, 02/08/2008 - 08:43

I wish I could say that works, but we've already had the following object-group in place for some time, and the timeouts still occur:

access-list acl-outside line 2 remark permit ICMP permits

access-list acl-outside line 3 extended permit icmp any any object-group icmp 0x39f88eb2

access-list acl-outside line 3 extended permit icmp any any echo (hitcnt=413608) 0xe22b3df2

access-list acl-outside line 3 extended permit icmp any any echo-reply (hitcnt=215003) 0xbfd87324

access-list acl-outside line 3 extended permit icmp any any unreachable (hitcnt=205341) 0xfbeab6da

access-list acl-outside line 3 extended permit icmp any any time-exceeded (hitcnt=26955) 0x23448f6f

Could there be an icmp inspect issue? Currently we are on v3.2.3 and icmp inspect is enabled.

swharvey Fri, 02/08/2008 - 09:46

TAC had the answer. On the FWSM's, icmp fixup and icmp fixup error are not enabled by default.

I enabled both and the default policy-map now allows traces:

Actions

This Discussion