Hi halijenn / all
I have a query in context with the Inbound and Outbound traceroute via the ASA Firewall .
a) To configure the ASA to show its internal network from the outside network:
ciscoasa(config)#access-list internal-out permit icmp any any echo-reply
ciscoasa(config)#access-list internal-out permit icmp any any time-exceeded
ciscoasa(config)#access-list internal-out permit icmp any any unreachable
ciscoasa(config-pmap-c)#inspect icmp error
ciscoasa(config)#service-policy global_policy global
ciscoasa(config)#access-group internal-out in interface outside
i want to know that just for the Inbound Traceroute , the above access-list is required or not , as per the following document
I am getting confused as to what specific we require for Inbound Traceroute ? i believe it is combination of static + ICMP error and set decrement-ttl (if we want to see ASA interface in output).If anyhting else is required , please correct me.
2) For the Outbound traceroute ,do we have to allow inspect icmp and inspect icmp error and allow time-exceeded ( ACL ) ? If yes , I want to know why inspect icmp error is required for Outbound traceroute ?