Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Revisited, public servers, protocol and port restriction on outside interface

Hi folks,

Recently, I got help by Jouni restricting port access from the outside. Previously, I allowed IP, and ICMP from outside, and for example traceroute displayed the router names/addresses. After only allowing those ports open that correspond to internal servers, traceroute stopped working.

How can I get traceroute information, while locking down all irrelevant ports?

Best regards,

Peter

1 ACCEPTED SOLUTION

Accepted Solutions
Super Bronze

Revisited, public servers, protocol and port restriction on outs

Hi,

You could start by checking if you have the following configurations

Issue the following command to see what inspections you have enabled

show run policy-map

Check if you have any "icmp" related inspections enabled. If not, then add the following to the same section where the rest of them are

inspect icmp error

inspect icmp

Also add the following statements to your ACL that is attached to your "outside" interface ACL

access-list OUTSIDE-IN line 1 remark Allow ICMP Return messages

access-list OUTSIDE-IN line 2 permit icmp any any unreachable

access-list OUTSIDE-IN line 3 permit icmp any any time-exceeded

Naturally your "outside" interface ACL was named differently so use that name instead. I inserted "line" numbers as I typically keep these rules at the very top of the ACL.

You might notice on the traceroutes taken from a host that the ASA will still not show up in the traceroute. There is a configuration that will allow the ASA to show up in traceroutes also but I dont typically enable it myself.

- Jouni

2 REPLIES
Super Bronze

Revisited, public servers, protocol and port restriction on outs

Hi,

You could start by checking if you have the following configurations

Issue the following command to see what inspections you have enabled

show run policy-map

Check if you have any "icmp" related inspections enabled. If not, then add the following to the same section where the rest of them are

inspect icmp error

inspect icmp

Also add the following statements to your ACL that is attached to your "outside" interface ACL

access-list OUTSIDE-IN line 1 remark Allow ICMP Return messages

access-list OUTSIDE-IN line 2 permit icmp any any unreachable

access-list OUTSIDE-IN line 3 permit icmp any any time-exceeded

Naturally your "outside" interface ACL was named differently so use that name instead. I inserted "line" numbers as I typically keep these rules at the very top of the ACL.

You might notice on the traceroutes taken from a host that the ASA will still not show up in the traceroute. There is a configuration that will allow the ASA to show up in traceroutes also but I dont typically enable it myself.

- Jouni

Community Member

Revisited, public servers, protocol and port restriction on outs

Thanks! Now it's working nicely!

Have a nice day :-)

Peter

114
Views
0
Helpful
2
Replies
CreatePlease to create content