This seems pretty juvenile, but how do I allow traceroute from the inside to the dmz. My access list has only the implict rule to allow all higher secured interfaces access to lower secured interfaces. So, all traffic from the inside is being allowed to the dmz. However, a traceroute is stopping at the firewall. Can someone please help???
If you're using the implied rules to go from high to low security, then you need to define and access list to allow the icmp messages back in because they are not considered part of the same 'connection'. I'm assuming NAT is not involved.
access-list outside_in permit icmp any any unreachable
access-list outside_in permit icmp any any time-exceeded
access-list outside_in permit icmp any any echo-reply
Please rate this message if it solved some or all of your issue/question.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...