Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Traceroute across ASA.

Hi all

I am trying two solutions for getting "traceroute" across ASA to work. First solution is working for me but the second solution is not working.

Am I missing something?

Solution 1

Allowing the "time-exceeded" and "unreachable" to outside interface.

access-list mine extended permit icmpacl any any time-exceeded

access-list mine extended permit icmpacl any any unreachable

access-group icmpany in interface outside

Solution 2

I am not allowing the "time-exceeded" and "unreachable" to outside interface. Rather I am relying on inspect icmp and icmp error.

policy-map global_policy

class inspection_default

inspect dns migrated_dns_map_1

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

inspect icmp

inspect icmp error

With regards

Kings

3 REPLIES
Green

Re: Traceroute across ASA.

Do you mean this?

access-list mine extended permit icmp any any time-exceeded

access-list mine extended permit icmp any any unreachable

access-group mine in interface outside

New Member

Re: Traceroute across ASA.

yes, it was a typo:

Following is what I had configured for first solution.

access-list mine extended permit icmp any any time-exceeded

access-list mine extended permit icmp any any unreachable

access-group mine in interface outside

138
Views
0
Helpful
3
Replies
CreatePlease to create content