05-24-2018 06:36 AM - edited 03-12-2019 05:19 AM
Hi Experts,
Please suggest what are the ports/service, which needs to be allowed for allowing tracert through ASA 9.1(2) from INSIDE to OUTSIDE.
Thanks
Sreeraj
05-24-2018 06:50 AM
Hi Sreeraj,
You need to allow icmp time-exceeded for windows and icmp unreachable for linux.
access-list outside_acl_in extended permit icmp any any time-exceeded
access-list outside_acl_in extended permit icmp any any unreachable
!
access-group outside_acl_in in interface outside
if you want the ASA to apear as a hop:
policy-map global_policy
class class_default
set connection decrement-ttl
HTH
Bogdan
05-24-2018 09:34 PM
Tried the same. Below are the configuration already in place
access-group OUTSIDE-ACT_access_in in interface OUTSIDE-ACT
access-list OUTSIDE-ACT_access_in extended permit icmp any any object-group ICMP-REPLY
access-list OUTSIDE-ACT_access_in extended permit icmp any4 any4 time-exceeded
access-list OUTSIDE-ACT_access_in extended permit icmp any4 any4 unreachable
The below commands didnt accept.
IN-BG-00-GWFW-001(config)# policy-map global_policy
IN-BG-00-GWFW-001(config-pmap)# class-map class_default
IN-BG-00-GWFW-001(config-cmap)# set con
IN-BG-00-GWFW-001(config-cmap)# set conn
IN-BG-00-GWFW-001(config-cmap)# set connection
IN-BG-00-GWFW-001(config-cmap)# set connection de
IN-BG-00-GWFW-001(config-cmap)# set connection decr
IN-BG-00-GWFW-001(config-cmap)# set connection decrement-ttl
^
ERROR: % Invalid input detected at '^' marker.
Please advice.
05-24-2018 11:39 PM
I think the problem is you do not have the class defined. class_default used to come in the default configuration, but seems it is not there anymore.
If you would want to apply the decrement-ttl to all traffic you could configure it like this:
MyASA(config)# class-map class_default
MyASA(config-cmap)# match any
MyASA(config-cmap)# exit
MyASA(config)# policy-map global_policy
MyASA(config-pmap)# class class_default
MyASA(config-pmap-c)# set connection decrement-ttl
HTH
Bogdan
05-24-2018 11:45 PM
Thanks All. The issue is resolved.
inspect icmp was missing. I added that.
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
https://supportforums.cisco.com/t5/firewalling/allow-traceroute-through-asa/td-p/2201465
This link helped.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide