ACESM inspection

Unanswered Question
May 26th, 2008
User Badges:

Hi all,

I have ACESM, when i do traceroute from PC to the servers behind ACE im getting the next hop as the ACE IP address all the time like the follwoign example:

1 <1 ms <1 ms <1 ms ACE-IP

2 3 ms 3 ms 3 ms ACE-IP

3 3 ms 3 ms 3 ms ACE-IP 4 3 ms 3 ms 3 ms ACE-IP 5 3 ms 3 ms 3 ms ACE-IP 6 50 ms 50 ms 53 ms ACE-IP



i know there is an icmp inspection which might bloceked this ... but how can i disable it ??


please advice

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Roble Mumin Mon, 05/26/2008 - 03:22
User Badges:
  • Bronze, 100 points or more

Hi Hassan,


try following config and apply it to the vlan pointing towards the clients. What you need to do is inspect the ICMP traffic.


---


access-list ICMP line 10 extended permit icmp any any


class-map match-all ICMP-INSPECT-L4CLASS

description ICMP fixup - L4 Class

2 match access-list ICMP


policy-map multi-match ICMP-Policy

description Inspect ICMP

class ICMP-INSPECT-L4CLASS

inspect icmp error


interface vlan xyz

service-policy input ICMP-Policy


Hope it helps


Roble

shday Thu, 08/04/2011 - 15:23
User Badges:

I have the same problem.  I want to be able to ping through the ACE to the backend layer 2 vlans from a server outside the ACE.  This is what I have configured and does not work.  Vlan302 is the L# vlan that allows all traffic into my ACE.


access-list icmp line 10 extended permit icmp any any


class-map match-all icmp-allow-inspect

  2 match access-list icmp


policy-map multi-match icmp-allow-inspect-mmpl

  class icmp-allow-inspect

    inspect icmp error


interface vlan 302 - public facing VIPs- ingress

  ip address 74.113.93.37 255.255.255.224

  alias 74.113.93.36 255.255.255.224

  peer ip address 74.113.93.38 255.255.255.224

  service-policy input mgmt

  service-policy input icmp-allow-inspect-mmpl

  no shutdown



interface vlan 308 - server - L2

  ip address 10.62.22.130 255.255.255.192

  alias 10.62.22.129 255.255.255.192

  peer ip address 10.62.22.131 255.255.255.192

  service-policy input icmp-allow-inspect-mmpl

  no shutdown

Actions

This Discussion