typo first solution is ** *Solution 1*
Allowing the "time-exceeded" and "unreachable" to outside interface. access-list mine extended permit icmp any any time-exceeded access-list mine extended permit icmp any any unreachable access-group icmpany in interface outside On Tue, Sep 29, 2009 at 7:52 PM, Kingsley Charles < [email protected]> wrote: > Hi all > > I am trying two solutions for getting "traceroute" across ASA to work. > First solution is working for me but the second solution is not working. > Am I missing something? > > > *Solution 1* > > Allowing the "time-exceeded" and "unreachable" to outside interface. > > access-list mine extended permit icmpacl any any time-exceeded > access-list mine extended permit icmpacl any any unreachable > > access-group icmpany in interface outside > > > *Solution 2* > ** > I am not allowing the "time-exceeded" and "unreachable" to outside > interface. Rather I am relying on inspect icmp and icmp error. > > policy-map global_policy > class inspection_default > inspect dns migrated_dns_map_1 > inspect ftp > inspect h323 h225 > inspect h323 ras > inspect netbios > inspect rsh > inspect rtsp > inspect skinny > inspect esmtp > inspect sqlnet > inspect sunrpc > inspect tftp > inspect sip > inspect xdmcp > inspect icmp > inspect icmp error > > > With regards > Kings >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
