Traceroute failure

Unanswered Question
Mar 31st, 2006
User Badges:

Hi. I must be mising something simple. This access-list/access-group combination worked with PIX 6.X code and the PIX 7.X code, but it won't work with the ASA 7.X code. It's a pretty simple access-list:

access-list outside-acl extended permit icmp any any echo-reply

access-list outside-acl extended permit icmp any any time-exceeded

access-list outside-acl extended permit icmp any any unreachable

access-group outside-acl in interface outside.

What am I doing wrong? Thanks.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Patrick Iseli Fri, 03/31/2006 - 11:00
User Badges:
  • Gold, 750 points or more

PIX OS changed for ICMP from stateless to stateful for ICMP with the move from 6.x to 7.x.

Try with:

PIX 7.x

inspect icmp

inspect icmp error

Pinging Through the Security Appliance

After you successfully ping the security appliance interfaces, you should make sure traffic can pass successfully through the security appliance. For routed mode, this test shows that NAT is working correctly, if configured. For transparent mode, which does not use NAT, this test confirms that the security appliance is operating correctly; if the ping fails in transparent mode, contact Cisco TAC.

To ping between hosts on different interfaces, perform the following steps:

Step 1 To add an access list allowing ICMP from any source host, enter the following command:

hostname(config)# access-list ICMPACL extended permit icmp any any

By default, when hosts access a lower security interface, all traffic is allowed through. However, to access a higher security interface, you need the preceding access list.

Step 2 To assign the access list to each source interface, enter the following command:

hostname(config)# access-group ICMPACL in interface interface_name

Repeat this command for each source interface.

Step 3 To enable the ICMP inspection engine, so ICMP responses are allowed back to the source host, enter the following commands:

hostname(config)# class-map ICMP-CLASS

hostname(config-cmap)# match access-list ICMPACL

hostname(config-cmap)# policy-map ICMP-POLICY

hostname(config-pmap)# class ICMP-CLASS

hostname(config-pmap-c)# inspect icmp

hostname(config-pmap-c)# service-map ICMP-POLICY global




This Discussion