We value your feedback.
Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!
Course Of The Month
3 days, 17 hours left to enrollBecome a Premium Member and unlock a new, free course in leading technologies each month.
Solved
asa icmp for traceroute
Posted on 2012-12-24
Experts,
suppose I have an ASA 5505 and want to allow it to answer traceroutes that come inbound from the outside interface. The ACL will be called outside_access_inbound
What ACL will allow the traceroute? Note, please don't say "ICMP". I need to only permit enough for traceroute rather than all ICMP.
suppose I have an ASA 5505 and want to allow it to answer traceroutes that come inbound from the outside interface. The ACL will be called outside_access_inbound
What ACL will allow the traceroute? Note, please don't say "ICMP". I need to only permit enough for traceroute rather than all ICMP.
[X]
Welcome to Experts Exchange
Add your voice to the tech community where 5M+ people just like you are talking about what matters.
- Help others & share knowledge
- Earn cash & points
- Learn & ask questions
2 Comments
Linux and Cisco traceroute uses UDP and Windows used ICMP echo request (type 8). So you would need to make rules for both to make it work. Please refer to the link below for the details description:
http://www.packetu.com/2009/10/09/traceroute-through-the-asa/
Sudeep
http://www.packetu.com/2009/10/09/traceroute-through-the-asa/
Sudeep
Please keep the following in mind if you want the ASA to show up in the traceroute:
ciscoasa(config-pmap-c)#se
!--- Decrement the IP TTL field for packets traversing the firewall.
!--- By default, the TTL is not decrement hiding (somewhat) the firewall.
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml
ciscoasa(config-pmap-c)#se
!--- Decrement the IP TTL field for packets traversing the firewall.
!--- By default, the TTL is not decrement hiding (somewhat) the firewall.
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml
Featured Post
Question has a verified solution.
If you are experiencing a similar issue, please ask a related question
I recently updated from an old PIX platform to the new ASA platform. While upgrading, I was tremendously confused about how the VPN and AnyConnect licensing works. It turns out that the ASA has 3 different VPN licensing schemes.
"site-to-site" …
During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
Both in life and business – not all partnerships are created equal.
As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:
• Key questions to ask when considering a partnership to accelerate your business into the cloud
• Pitfalls and mistakes other partners…
Suggested Courses
Course of the Month3 days, 17 hours left to enroll
Earn Certification
Cisco CCNA R&S: ICND2 v3
$197.00$177.30
Earn Certification
Cisco CCNA Collaboration: CIVND2
$197.00$177.30
691 members asked questions and received personalized solutions in the past 7 days.
Join the community of 500,000 technology professionals and ask your questions.