Cisco ASA 5510 ICMP and Traceroute Traffic

 On a Cisco ASA 5510, by default all outbound ICMP and traceroute traffic is denied.  Well, for testing and troubleshooting purposes, being able to ping hosts on the internet is extremely helpful so you will have to permit it.  There are several methods to allow icmp and traceroute traffic outbound on the ASA as documented here.  For a simple config, I prefer to use access-lists to permit or deny traffic.  If you're an asdm fanboy, I'll you a quick way to setup outbound traffic as well.

At the cli, to permit icmp and traceroute traffic outbound, simply create an access-list like the one below and apply it to the outside interface inbound.  Make note of the protocols.

 

access-list 101 permit icmp any any echo-reply

access-list 101 permit icmp any any source-quench

access-list 101 permit icmp any any unreachable

access-list 101 permit icmp any any time-exceeded

access-group 101 in interface outside

 

When acl 101 gets applied inbound on the outside interface, any establish echo requests' reciprocal echo reply will be permitted inbound.  The same applies for source-quench, unreachable, and time-exceeded.

 

If you prefer the asdm then simply create a new access rule in the security policy tab like the one below.  In this case I'm only permitting icmp echo-reply traffic to pass.

 

 

你可能感兴趣的:(职场,休闲,ICMP,asa,traceroute)