ACESM inspection

hassan_oudeh · ‎05-26-2008

Hi all,

I have ACESM, when i do traceroute from PC to the servers behind ACE im getting the next hop as the ACE IP address all the time like the follwoign example:

1 <1 ms <1 ms <1 ms ACE-IP

2 3 ms 3 ms 3 ms ACE-IP

3 3 ms 3 ms 3 ms ACE-IP 4 3 ms 3 ms 3 ms ACE-IP 5 3 ms 3 ms 3 ms ACE-IP 6 50 ms 50 ms 53 ms ACE-IP

i know there is an icmp inspection which might bloceked this ... but how can i disable it ??

please advice

Roble Mumin · ‎05-26-2008

Hi Hassan,

try following config and apply it to the vlan pointing towards the clients. What you need to do is inspect the ICMP traffic.

---

access-list ICMP line 10 extended permit icmp any any

class-map match-all ICMP-INSPECT-L4CLASS

description ICMP fixup - L4 Class

2 match access-list ICMP

policy-map multi-match ICMP-Policy

description Inspect ICMP

class ICMP-INSPECT-L4CLASS

inspect icmp error

interface vlan xyz

service-policy input ICMP-Policy

Hope it helps

Roble

tkni · ‎10-07-2008

all vlan pz

shday · ‎08-04-2011

I have the same problem. I want to be able to ping through the ACE to the backend layer 2 vlans from a server outside the ACE. This is what I have configured and does not work. Vlan302 is the L# vlan that allows all traffic into my ACE.

access-list icmp line 10 extended permit icmp any any

class-map match-all icmp-allow-inspect

2 match access-list icmp

policy-map multi-match icmp-allow-inspect-mmpl

class icmp-allow-inspect

inspect icmp error

interface vlan 302 - public facing VIPs- ingress

ip address 74.113.93.37 255.255.255.224

alias 74.113.93.36 255.255.255.224

peer ip address 74.113.93.38 255.255.255.224

service-policy input mgmt

service-policy input icmp-allow-inspect-mmpl

no shutdown

interface vlan 308 - server - L2

ip address 10.62.22.130 255.255.255.192

alias 10.62.22.129 255.255.255.192

peer ip address 10.62.22.131 255.255.255.192

service-policy input icmp-allow-inspect-mmpl

no shutdown