09-30-2008 12:45 AM - edited 03-11-2019 06:51 AM
Hi,
For me to get the tracert to work through my Cisco ASA and any DMZ/Sub Interfaces i had to create a rule on the inside and other interfaces:
permit icmp any any
Is this a security risk or can I leave these on each interface?
09-30-2008 12:48 AM
hello Whitford,
remove the ACLs and just add Inspect ICMP and Inspect ICMP error in the global policy global_poplicy
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml
see if it works...
09-30-2008 01:44 AM
Hello,
i am using the ASDM, but am happy to go into the CLI, which part do I need to add do tracert between interfaces?
Just this?:
policy-map global_policy
class inspection_default
inspect icmp
09-30-2008 01:48 AM
policy-map global_policy
class inspection_default
inspect icmp
inspect icmp error
Make sure there no ACL on inside interface/higher blocking ICMP
Now try to tracert from higher security/LAN to a device in lower security Zone and it should work
09-30-2008 02:07 AM
No luck I'm afraid, this is what I already have, but works when I add the permit icmp any any:
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect http
inspect ils
inspect pptp
inspect icmp
inspect icmp error
Could it be an ACE? I have the deny any any at the bottom of each ACL for the interface.
Thanks
09-30-2008 02:10 AM
if you have an ACL on LAN interface/higher security Interface then you must open icmp any any eq echo in it , the return reply will be taken care by Inspect
09-30-2008 02:19 AM
hi,
in order to get tracert work through ASA do the following.
ciscoasa(config)#class-map class-default
ciscoasa(config)#match any
!--- This class-map exists by default.
ciscoasa(config)#policy-map global_policy
!--- This Policy-map exists by default.
ciscoasa(config-pmap)#class class-default
!--- Add another class-map to this policy.
ciscoasa(config-pmap-c)#set connection decrement-ttl
!--- Decrement the IP TTL field for packets traversing the firewall.
!--- By default, the TTL is not decrement hiding (somewhat) the firewall.
ciscoasa(config-pmap-c)#exit
ciscoasa(config-pmap)#exit
ciscoasa(config)#service-policy global_policy global
!--- This service-policy exists by default.
WARNING: Policy map global_policy is already configured as a service policy
ciscoasa(config)#icmp unreachable rate-limit 10 burst-size 5
!--- Adjust ICMP unreachable replies:
!--- The default is rate-limit 1 burst-size 1.
!--- The default will result in timeouts for the ASA hop:
ciscoasa(config)#access-list outside-in-acl remark Allow ICMP Type 11 for Windows tracert
ciscoasa(config)#access-list outside-in-acl extended permit icmp any any time-exceeded
!--- The access-list is for the far end of the ICMP traffic (in this case
!---the outside interface) needs to be modified in order to allow ICMP type 11 replies
!--- time-exceeded):
ciscoasa(config)#access-group outside-in-acl in interface outside
rate if helpful
Thanks
09-30-2008 04:14 AM
It seems to work only if I have:
an icmp any any in to my "inside" interface and on my "DMZ" interface. So I need to rules to get it to work, does this sound right to you?
Security levels =
DMZ = 10
Outside = 0
Inside = 100
My policy:
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect http
inspect ils
inspect pptp
inspect icmp
inspect icmp error
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide