Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

traceroute is not working in Next generation firewall.

Hi

I have tried to allow traceroute for one PC for the testing purpose, but it is not working

Model : ASA 5515x Version : 9.12

 

And also allowed below access list, but still user getting * * *

 

access-list acl_out line 1 permit icmp any any echo-reply
access-list acl_out line 1 permit icmp any any time-exceeded
access-list acl_out line 1 permit icmp any any traceroute
access-list acl_out line 1 permit icmp any any time-exceeded
access-list acl_out line 1 permit icmp any any unreachable

access-list acl_in line 1 permit icmp any any unreachable
access-list acl_in line 1 permit icmp any any time-exceeded
access-list acl_in line 1 permit icmp any any traceroute
access-list acl_in line 1 permit icmp any any echo-reply
access-list acl_in line 1 permit icmp any any time-exceeded

access-group acl_out in interface inside

access-group acl_in  in interface outside

Fixup protocol icmp
Fixup protocol icmp-error

3 REPLIES
Hall of Fame Super Silver

Your acl_out isn't allowing

Your acl_out isn't allowing the inside user's echo requests. That's the fundamental packet that they would be sending as the initiator of a ping.

     access-list acl_out line 1 permit icmp any any echo

It would be easier to just allow all icmp outbound:

     access-list acl_out line 1 permit icmp any any

Of course, any access-list on the inside interface will then create an implicit deny for all other traffic. Without one, any inside-initiated to outside flows are allowed.

Silver

If you are actually just

If you are actually just configuring ACL as a test then I would suggest to check logs to see what is built for any future troubleshooting so you can understand what is go through the ASA.

 

FYI: Inspection rule allows traceroute and you don't need ACLs from a higher security interface to a lower one.

 

Also check the next link:

 

ASA/PIX/FWSM: Handling ICMP Pings and Traceroute

 

http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/15246-31.html

Value our effort and rate the assistance!
Silver

Hey could you please mark the

Hey could you please mark the ticket as answered.

Value our effort and rate the assistance!
1128
Views
5
Helpful
3
Replies
CreatePlease to create content