Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1358
Views
5
Helpful
4
Replies

Allow ICMP through Cisco ASA 9.1(2)

sreeraj.murali
Level 3
Level 3

‎05-24-2018 06:36 AM - edited ‎03-12-2019 05:19 AM

Hi Experts,

Please suggest what are the ports/service, which needs to be allowed for allowing tracert through ASA 9.1(2) from INSIDE to OUTSIDE.

 

Thanks

Sreeraj

 

Labels:
0 Helpful
4 Replies 4

Bogdan Nita
VIP Alumni
VIP Alumni

‎05-24-2018 06:50 AM

Hi Sreeraj,

 

You need to allow icmp time-exceeded for windows and icmp unreachable for linux.

 

access-list outside_acl_in extended permit icmp any any time-exceeded
access-list outside_acl_in extended permit icmp any any unreachable
!
access-group outside_acl_in in interface outside

 

if you want the ASA to apear as a hop:


policy-map global_policy
 class class_default
  set connection decrement-ttl

 

HTH

Bogdan

sreeraj.murali
Level 3
Level 3
In response to Bogdan Nita

‎05-24-2018 09:34 PM

Tried the same. Below are the configuration already in place

 

access-group OUTSIDE-ACT_access_in in interface OUTSIDE-ACT

 

access-list OUTSIDE-ACT_access_in extended permit icmp any any object-group ICMP-REPLY

access-list OUTSIDE-ACT_access_in extended permit icmp any4 any4 time-exceeded

access-list OUTSIDE-ACT_access_in extended permit icmp any4 any4 unreachable

 

 The below commands didnt accept.

IN-BG-00-GWFW-001(config)# policy-map global_policy

IN-BG-00-GWFW-001(config-pmap)# class-map class_default

IN-BG-00-GWFW-001(config-cmap)# set con

IN-BG-00-GWFW-001(config-cmap)# set conn

IN-BG-00-GWFW-001(config-cmap)# set connection

IN-BG-00-GWFW-001(config-cmap)# set connection de

IN-BG-00-GWFW-001(config-cmap)# set connection decr

IN-BG-00-GWFW-001(config-cmap)# set connection decrement-ttl

                                   ^

ERROR: % Invalid input detected at '^' marker.

 

Please advice.

 

0 Helpful

Bogdan Nita
VIP Alumni
VIP Alumni
In response to sreeraj.murali

‎05-24-2018 11:39 PM

I think the problem is you do not have the class defined. class_default used to come in the default configuration, but seems it is not there anymore.

If you would want to apply the decrement-ttl to all traffic you could configure it like this:

MyASA(config)# class-map class_default
MyASA(config-cmap)# match any
MyASA(config-cmap)# exit
MyASA(config)# policy-map global_policy
MyASA(config-pmap)# class class_default
MyASA(config-pmap-c)# set connection decrement-ttl

 

HTH

Bogdan

0 Helpful

sreeraj.murali
Level 3
Level 3
In response to Bogdan Nita

‎05-24-2018 11:45 PM

Thanks All. The issue is resolved.

 

inspect icmp was missing. I added that.

 

policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect icmp

 

https://supportforums.cisco.com/t5/firewalling/allow-traceroute-through-asa/td-p/2201465

 

This link helped.

0 Helpful
Customers Also Viewed These Support Documents