JasmineCorp Blogs Cannot open jcsearch.dbCannot open jcsearch_time.db
Updated Blogs
More .....

Blog by JasmineCorp | Create your own Blog

Bookmark and Share RSS Feed | Login           

PC Tech Support

Tech support - post experiences and reviews on tech products worked with while on the job providing support to her customers and end-users.

Permit Trace Route on Cisco ASA

By PC Tech Support at 2009-11-29 07:51:36
The Cisco ASA not only blocks outbound pings out of the box as most firewwalls and security appliances do but also doesn't permit the trace route command from working. Traceroute is a command that is not used too often but is a tool used for trouble-shooting network issues. Traceroute is one of the built-in commands on desktops, laptops, and routers, this command gets used to find internet or internal connectivity problems. On the Cisco ASA, three lines of code need to be added to the access list for inside to outside traffic.

Configure ASA to allow traceroute responses.

Enable Trace Route and Ping on Cisco ASA

To allow pings and trace route responce traffic from internal to the outside, add the following statements:

access-list pmt_out2IN extended permit icmp any any echo-reply
access-list pmt_out2IN extended permit icmp any any unreachable
access-list pmt_out2IN extended permit icmp any any time-exceeded

The above lines must be added at the enable config level access prompt. The first line will permit ping (ICMP echo) reply and the next two permit trace route. You may already have an access list and access-group for inbound access to services. If so, you can modify the access-list name to match your current access-list, change pmt_out2IN to your access-lists name. If you don't already have an inbound access-list, add a new one with the name above of one of you choosing. Remember also to add and access group.

To allow RDP or terminal server traffic through an ASA: Open TCP 3689 inbound to that server whose public NAT is , add this line:

access-list pmt_out2IN extended permit tcp any host eq 3689


Permalink | Comments (2)


Add Comment
By yon von rhinehardt at 2014-04-28 21:57:28
Even through is annoying, it is totally understandable why this common and generic networking protocol was not enabled by default on the ASA. The Cisco ASA is a security appliance and having ping and trace-route is often a first step for hackers to discover "live" devices.


To add a comment please login by clicking here

JC Store | JasmineCorp | JCBid |Software Development | Domain Registration | Hosting | Web Designing | Buy Books | Advertise with JCSearch | Whois | IP Locator | Add Search | Shopping | Store | Free Blogs | Free GuestBook | Free E-Cards | Free Games | Free Tutorials | Set as Home | Add to Favorite | Suggest a Site | Directory Our Portfolio | Terms of service | Free quote | Tell a Friend | Special Offer | Job Opportunities | games | Usenet Groups  
Register a Domain Name:
.com .us .info
.org .in .name
.net .biz .asia