Traceroute failure

Unanswered Question
Mar 31st, 2006
User Badges:

Hi. I must be mising something simple. This access-list/access-group combination worked with PIX 6.X code and the PIX 7.X code, but it won't work with the ASA 7.X code. It's a pretty simple access-list:


access-list outside-acl extended permit icmp any any echo-reply


access-list outside-acl extended permit icmp any any time-exceeded


access-list outside-acl extended permit icmp any any unreachable


access-group outside-acl in interface outside.


What am I doing wrong? Thanks.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
Patrick Iseli Fri, 03/31/2006 - 11:00
User Badges:
  • Gold, 750 points or more

PIX OS changed for ICMP from stateless to stateful for ICMP with the move from 6.x to 7.x.


Try with:


PIX 7.x

inspect icmp

inspect icmp error


http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_7_1/conf_gd/trouble.htm#wp1059758


Pinging Through the Security Appliance


After you successfully ping the security appliance interfaces, you should make sure traffic can pass successfully through the security appliance. For routed mode, this test shows that NAT is working correctly, if configured. For transparent mode, which does not use NAT, this test confirms that the security appliance is operating correctly; if the ping fails in transparent mode, contact Cisco TAC.


To ping between hosts on different interfaces, perform the following steps:


Step 1 To add an access list allowing ICMP from any source host, enter the following command:


hostname(config)# access-list ICMPACL extended permit icmp any any



By default, when hosts access a lower security interface, all traffic is allowed through. However, to access a higher security interface, you need the preceding access list.


Step 2 To assign the access list to each source interface, enter the following command:


hostname(config)# access-group ICMPACL in interface interface_name



Repeat this command for each source interface.


Step 3 To enable the ICMP inspection engine, so ICMP responses are allowed back to the source host, enter the following commands:


hostname(config)# class-map ICMP-CLASS


hostname(config-cmap)# match access-list ICMPACL


hostname(config-cmap)# policy-map ICMP-POLICY


hostname(config-pmap)# class ICMP-CLASS


hostname(config-pmap-c)# inspect icmp


hostname(config-pmap-c)# service-map ICMP-POLICY global


sincerely

Patrick

Actions

This Discussion