Kingsley,
icmp error will not allow traceroute back in. Instead what it is used for is when you are using NAT on the inside. It translates the source address in a packet to allow the icmp error return traffic to be directed to the correct source. It hides the internal address from the external networks but still requires you to allow time-exceeded and unreachable on the outside ACL. Without the command the ASA hides the source address. http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/i2.html #wp1736134 Regards, Tyson Scott - CCIE #13513 R&S and Security Technical Instructor - IPexpert, Inc. Telephone: +1.810.326.1444 Cell: +1.248.504.7309 Fax: +1.810.454.0130 Mailto: [email protected] Join our free online support and peer group communities: <http://www.IPexpert.com/communities> http://www.IPexpert.com/communities IPexpert - The Global Leader in Self-Study, Classroom-Based, Video On Demand and Audio Certification Training Tools for the Cisco CCIE R&S Lab, CCIE Security Lab, CCIE Service Provider Lab , CCIE Voice Lab and CCIE Storage Lab Certifications. From: [email protected] [mailto:[email protected]] On Behalf Of Kingsley Charles Sent: Tuesday, September 29, 2009 10:49 AM To: [email protected] Subject: Re: [OSL | CCIE_Security] Traceroute across ASA typo first solution is Solution 1 Allowing the "time-exceeded" and "unreachable" to outside interface. access-list mine extended permit icmp any any time-exceeded access-list mine extended permit icmp any any unreachable access-group icmpany in interface outside On Tue, Sep 29, 2009 at 7:52 PM, Kingsley Charles <[email protected]> wrote: Hi all I am trying two solutions for getting "traceroute" across ASA to work. First solution is working for me but the second solution is not working. Am I missing something? Solution 1 Allowing the "time-exceeded" and "unreachable" to outside interface. access-list mine extended permit icmpacl any any time-exceeded access-list mine extended permit icmpacl any any unreachable access-group icmpany in interface outside Solution 2 I am not allowing the "time-exceeded" and "unreachable" to outside interface. Rather I am relying on inspect icmp and icmp error. policy-map global_policy class inspection_default inspect dns migrated_dns_map_1 inspect ftp inspect h323 h225 inspect h323 ras inspect netbios inspect rsh inspect rtsp inspect skinny inspect esmtp inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp inspect icmp inspect icmp error With regards Kings
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
