||Cannot open jcsearch.dbCannot open jcsearch_time.db|
|Blog by JasmineCorp | Create your own Blog
RSS Feed | Login |
Tech support - post experiences and reviews on tech products worked with while on the job providing support to her customers and end-users.
Permit Trace Route on Cisco ASA
By PC Tech Support at 2009-11-29 07:51:36
The Cisco ASA not only blocks outbound pings out of the box as most firewwalls and security appliances do but also doesn't permit the trace route command from working. Traceroute is a command that is not used too often but is a tool used for trouble-shooting network issues. Traceroute is one of the built-in commands on desktops, laptops, and routers, this command gets used to find internet or internal connectivity problems. On the Cisco ASA, three lines of code need to be added to the access list for inside to outside traffic.
Configure ASA to allow traceroute responses.
Enable Trace Route and Ping on Cisco ASA
To allow pings and trace route responce traffic from internal to the outside, add the following statements:
access-list pmt_out2IN extended permit icmp any any echo-reply
access-list pmt_out2IN extended permit icmp any any unreachable
access-list pmt_out2IN extended permit icmp any any time-exceeded
The above lines must be added at the enable config level access prompt. The first line will permit ping (ICMP echo) reply and the next two permit trace route. You may already have an access list and access-group for inbound access to services. If so, you can modify the access-list name to match your current access-list, change pmt_out2IN to your access-lists name. If you don't already have an inbound access-list, add a new one with the name above of one of you choosing. Remember also to add and access group.
To allow RDP or terminal server traffic through an ASA: Open TCP 3689 inbound to that server whose public NAT is 188.8.131.52 , add this line:
access-list pmt_out2IN extended permit tcp any host 184.108.40.206 eq 3689
Permalink | Comments (2)
By yon von rhinehardt at 2014-04-28 21:57:28
Even through is annoying, it is totally understandable why this common and generic networking protocol was not enabled by default on the ASA. The Cisco ASA is a security appliance and having ping and trace-route is often a first step for hackers to discover "live" devices.
To add a comment please login by clicking here