I'm setting up a ASA5520 (version 8.2(1))and would like to enable Traceroute from the Inside to the Outside. Most articles tell you to use ICMP Inspection instead of ACL's for this. ICMP Inspection appears to only allow replies that are from the destination IP and not the time-exceeded messages from the hops along the way.
ICMP Inspection allows Pings to work fine to the outside but when I try to traceroute, I will only receive the last reply from the destination, and all intermediary hops are timed out.
C:\Users\Craig>tracert -d 188.8.131.52
Tracing route to 184.108.40.206 over a maximum of 30 hops
1 * * * Request timed out.
2 * * * Request timed out.
3 * * * Request timed out.
4 * * * Request timed out.
5 * * * Request timed out.
6 * * * Request timed out.
7 * * * Request timed out.
8 * * * Request timed out.
9 * * * Request timed out.
10 * * * Request timed out.
11 34 ms 33 ms 33 ms 220.127.116.11
By enabling ICMP inspection, I can see how many hops away the destination is, but I'd also like to see the addresses of those hops.
I could add an ACL to allow ICMP time-exceeded messages in, but isn't that not recommended? And all these Cisco articles seem to imply that ICMP Inpection should handle traceroute with out ACL's:
Turning on ICMP Error inspection didn't work (I think that is for inbound traceroute and I want outbound) and I was trying to be more secure by avoiding ICMP access-lists and hoping that ICMP Ispection would do that for me.
Is ICMP inspection only useful for echo-replies?
It appears ICMP inspection only allows ICMP replies from the destination computer. Which means it is useless for ICMP Time Exceeded and and Destination Unreachable messages since those messages can come from a intermediate hop. They have to be allowed via an access list to allow traceroute replies and PMTU Discovery messages.
I guess ICMP may work for Source Quench since those replies would come from the source.
inspect icmp error command creates xlates for intermediate hops that send ICMP error messages, based on the static/NAT configuration. By default, the security appliance hides the IP addresses of intermediate hops.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :