asa icmp for traceroute
Experts,
suppose I have an ASA 5505 and want to allow it to answer traceroutes that come inbound from the outside interface. The ACL will be called outside_access_inbound
What ACL will allow the traceroute? Note, please don't say "ICMP". I need to only permit enough for traceroute rather than all ICMP.
suppose I have an ASA 5505 and want to allow it to answer traceroutes that come inbound from the outside interface. The ACL will be called outside_access_inbound
What ACL will allow the traceroute? Note, please don't say "ICMP". I need to only permit enough for traceroute rather than all ICMP.
Do more with
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Linux and Cisco traceroute uses UDP and Windows used ICMP echo request (type 8). So you would need to make rules for both to make it work. Please refer to the link below for the details description:
http://www.packetu.com/2009/10/09/traceroute-through-the-asa/
Sudeep
http://www.packetu.com/2009/10/09/traceroute-through-the-asa/
Sudeep
Please keep the following in mind if you want the ASA to show up in the traceroute:
ciscoasa(config-pmap-c)#se
!--- Decrement the IP TTL field for packets traversing the firewall.
!--- By default, the TTL is not decrement hiding (somewhat) the firewall.
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml
ciscoasa(config-pmap-c)#se
!--- Decrement the IP TTL field for packets traversing the firewall.
!--- By default, the TTL is not decrement hiding (somewhat) the firewall.
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml
Premium Content
You need an Expert Office subscription to comment.Start Free Trial