The Cisco ASA not only blocks outbound pings out of the box as most firewwalls and security appliances do but also doesn't permit the trace route command from working. Traceroute is a command that is not used too often but is a tool used for trouble-shooting network issues. Traceroute is one of the built-in commands on desktops, laptops, and routers, this command gets used to find internet or internal internet connectivity problems. On the Cisco ASA, three lines of code need to be added to the access list for inside to outside traffic.

Configure ASA to allow traceroute responses.

To allow pings and trace route responce traffic from internal to the outside, add the following statements:

access-list pmt_out2IN extended permit icmp any any echo-reply
access-list pmt_out2IN extended permit icmp any any unreachable
access-list pmt_out2IN extended permit icmp any any time-exceeded

To allow RDP or terminal server traffic through an ASA: Open TCP 3689 inbound to that server whose public NAT is 230.198.191.25 , add this line:

access-list pmt_out2IN extended permit tcp any host 230.44.191.25 eq 3689

To add a comment please login by clicking here