I'm setting up a ASA5520 (version 8.2(1))and would like to enable Traceroute from the Inside to the Outside. Most articles tell you to use ICMP Inspection instead of ACL's for this. ICMP Inspection appears to only allow replies that are from the destination IP and not the time-exceeded messages from the hops along the way.
ICMP Inspection allows Pings to work fine to the outside but when I try to traceroute, I will only receive the last reply from the destination, and all intermediary hops are timed out.
C:\Users\Craig>tracert -d 126.96.36.199
Tracing route to 188.8.131.52 over a maximum of 30 hops
1 * * * Request timed out.
2 * * * Request timed out.
3 * * * Request timed out.
4 * * * Request timed out.
5 * * * Request timed out.
6 * * * Request timed out.
7 * * * Request timed out.
8 * * * Request timed out.
9 * * * Request timed out.
10 * * * Request timed out.
11 34 ms 33 ms 33 ms 184.108.40.206
By enabling ICMP inspection, I can see how many hops away the destination is, but I'd also like to see the addresses of those hops.
I could add an ACL to allow ICMP time-exceeded messages in, but isn't that not recommended? And all these Cisco articles seem to imply that ICMP Inpection should handle traceroute with out ACL's:
So does ICMP inspection do anything but allow pings back? Shouldn't it know the state of a traceroute request and allow time-exceeded message back to the requesting computer?