Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Traceroute behind an ASA firewall...

Hello,

We are a windows 2003 network and use an ASA firewall. We can trace route from the ASA device but not at our desktops...do you know the syntax we need to add this to our outside access-lists? TIA, Gary

5 REPLIES
New Member

Re: Traceroute behind an ASA firewall...

On the outside interface access-list, permit icmp unreachable and icmp time-exceeded

http://www.cisco.com/warp/public/110/pixtrace.html#topic2

New Member

Re: Traceroute behind an ASA firewall...

rather, you can also open complete icmp by using "permit icmp any any" on the outside interface access-list

Re: Traceroute behind an ASA firewall...

conf t

policy-map global_policy

class inspection_default

inspect icmp

inspect icmp error

New Member

Re: Traceroute behind an ASA firewall...

I still can't run traceroute through my ASA, even though it's configured as shown:

policy-map global_policy

class inspection_default

inspect icmp error

inspect icmp

!

service-policy global_policy global

I've issued the "clear x" command and even tried adding the following commands:

icmp permit any Outside

icmp permit any Inside

When I try "tracert yahoo.com", this is what the ASDM log shows (note that I've reversed the order to show earliest message first):

Oct 02 2007 19:26:36 302020:Built ICMP connection for faddr 66.94.234.13/0 gaddr (outside IP address) laddr (inside address)

Oct 02 2007 19:26:36 106014:Deny inbound icmp src Outside:(gateway address) dstInside:(outside IP address)(type 11,code 0)

Oct 02 2007 19:26:38 302021:Teardown ICMP connection for faddr 66.94.234.13/0 gaddr (outside IP address) laddr (inside address)

I can place a computer on the same public IP subnet that the outside interface of the ASA resides on and get traceroutes to work without issue, I know the problem lies with the ASA.

New Member

Re: Traceroute behind an ASA firewall...

Interestingly enough, I tried using the ACL method:

access-list 101 permit icmp any any echo-reply

access-list 101 permit icmp any any source-quench

access-list 101 permit icmp any any unreachable

access-list 101 permit icmp any any time-exceeded

access-group 101 in interface outside

instead of the global policy method, and that worked fine.

Go figure...

523
Views
0
Helpful
5
Replies
CreatePlease to create content