ping & tracerout through firewall

Unanswered Question
Dec 16th, 2008

I am trying to get a few workstations to ping and traceroute to the Internet via an ASA5520. I have a permit ip any any for all incoming traffic hitting the inside interface and still unable to ping\traceroute the Internet.

any idea?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
ronshuster Tue, 12/16/2008 - 08:23

Our internet access works perfectly ok from a NAT & PAT & ACL stand point... only thing is that we cannot ping & traceroute to the Internet.

I have a permit ip any any on all traffic incoming the INSIDE interface. Is that sufficient or do I need to apply the following as well:

access-list 101 permit icmp any any echo-reply

access-list 101 permit icmp any any source-quench

access-list 101 permit icmp any any unreachable

access-list 101 permit icmp any any time-exceeded

ronshuster Tue, 12/16/2008 - 08:46

I just ran a packet capture, results:

RESULTS - The packet is dropped

Info : (rpf violated) Reverse-path verify failed

I tried to remove the following but still unable to ping:

ip verify reverse-path interface Outside

ip verify reverse-path interface Inside

nefkensp Tue, 12/16/2008 - 13:08

If you're using the asa, you also need to configure the ICMP inspection using the icmp permit command set;

e.g.

icmp permit any inside

icmp permit echo-reply outside

icmp permit unreachable outside

icmp permit traceroute outside

HTH

P-J Nefkens

ajagadee Tue, 12/16/2008 - 14:23

Hi,

The above lines need to be applied on the outside interface.

access-list 101 permit icmp any any echo-reply

access-list 101 permit icmp any any source-quench

access-list 101 permit icmp any any unreachable

access-list 101 permit icmp any any time-exceeded

access-group 101 in interface outside

OR

The other option is to enable inspection:

For example:

policy-map global_policy

class inspection_default

inspect icmp

Please refer the below URL for details:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml

Regards,

Arul

*Pls rate if it helps*

Actions

This Discussion