The Cisco ASA not only blocks outbound pings out of the box as most firewwalls and security appliances do but also doesn't permit the trace route command from working. Traceroute is a command that is not used too often but is a tool used for trouble-shooting network issues. Traceroute is one of the built-in commands on desktops, laptops, and routers, this command gets used to find internet or internal connectivity problems. On the Cisco ASA, three lines of code need to be added to the access list for inside to outside traffic.

Configure ASA to allow traceroute responses.

Enable Trace Route and Ping on Cisco ASA

To allow pings and trace route responce traffic from internal to the outside, add the following statements:

access-list pmt_out2IN extended permit icmp any any echo-reply
access-list pmt_out2IN extended permit icmp any any unreachable
access-list pmt_out2IN extended permit icmp any any time-exceeded

The above lines must be added at the enable config level access prompt. The first line will permit ping (ICMP echo) reply and the next two permit trace route. You may already have an access list and access-group for inbound access to services. If so, you can modify the access-list name to match your current access-list, change pmt_out2IN to your access-lists name. If you don't already have an inbound access-list, add a new one with the name above of one of you choosing. Remember also to add and access group.

To allow RDP or terminal server traffic through an ASA: Open TCP 3689 inbound to that server whose public NAT is 230.198.191.25 , add this line:

access-list pmt_out2IN extended permit tcp any host 230.44.191.25 eq 3689

To add a comment please login by clicking here