Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Allowing traceroute on ASA 8.6 version

I have 5512 with 8.6 and I need to allow traceroute through it for troubleshooting purposes. As Inbound traffic has to be allowed specifically for original address on 8.6, do I have to allow entire Inside subnet in case I want my entire subnet to be able to make traceroutes?

 

I have tried enabling inspection ICMP as well as allowing inbound time-exceeded replies for Natted IP, but no avail.

 

Is there any standard best Practice for such scenarios? Because allowing inbound icmp/time-exceeded on original IP address is working here.

 

Thanks for reading it and your valuable suggestions :)

1 REPLY

hi,try this:policy-map global

hi,

try this:

policy-map global_policy
 class inspection_default
  inspect icmp error  

access-list OUTSIDE-IN extended permit icmp any any time-exceeded     
access-list OUTSIDE-IN extended permit icmp any any unreachable 

access-group OUTSIDE-IN in interface outside

78
Views
0
Helpful
1
Replies
CreatePlease login to create content