- From a Windows client if I try and Tracert to an external IPaddress, this is what I would see.
- My first task is to get the ASAitself to reply to me, unlike most network devices the ASAdoes not decrease the ‘hop count’ as traffic passes through it, to rectify this we need to make a small change to the global inspection policy like so;
Petes-ASA(config)# policy-map global_policy Petes-ASA(config-pmap)# class class-default Petes-ASA(config-pmap-c)# set connection decrement-ttl
- Now when we re-run our Tracert we see the ASAnow responds, nothing else does though, to rectify that we need to allow INsome ICMP traffic.
- Before you can add an ACLyou need to see if you already have one. We are applying an ACLto the outside interface for traffic going in (I call this inbound for obvious reasons). To see if you already have an ACL applied, issue the following command;
Petes-ASA# show run access-group access-group inbound in interface outside
Note: In the example above we have an ACL called inbound that we MUST use. (If you added a new one, all the access list entries for the old one get ‘Un-applied’). If yours has a different name (e.g. outside_access_in then use that instead of the ACL name I’m using here). If you DONT have an access-group entry for inbound traffic then we will do that at the end!
- At this point you should know if you have an ACL, mines called inbound so I need to add two lines to it like so;
Petes-ASA(config)# access-list inbound extended permit icmp any any time-exceeded Petes-ASA(config)# access-list inbound extended permit icmp any any unreachable
- Try your Tracert again.
- Don’t forget to save the changes on the ASA.
Petes-ASA(config)# write memory
Leave A Comment?