ASA的tracert和icmp开启

21224301

ASA 的ping和tracert使用问题
在ASA的默认中是不允许使用icmp和tracert ，默认状态中是禁止。ICMP包需要开启功能，tracert需要添加控制访问规则，主要由于asa不会回应TTL Exceeded包，另外ASA策略也有限制，所以需要解除限制和定义控制访问列表。
允许ICMP，比较简单。只要进入到policy-map开启icmp即可
policy-map global_policy
class inspection_default
inspect icmp
即可，如果是ASA8.3以前的话，就更简单，只要定义acl规则允许 access-list pe icmp any any并应用到相应的接口即可

Tracert的问题
由于ASA禁止TTL Exceeded包，这里的需要定义个访问控制列表，并放行防火墙策略。
首先更改ASA策略设置
设置TTL包


Class-map all_ip
match any
Policy-map golobl_policy
Class all_ip
Set connection decrement-ttl
设置好防火墙策略，对access-list进行放行和应用

access-list out_in remark ICMP type 11 for Windows Tracert
access-list out_in extended permit icmp any any time-exceeded
access-list out_in remark ICMP type 3 for Cisco and Linux
access-list out_in extended permit icmp any any unreachable
access-list out_in extended permit icmp any any echo-reply
access-list out_in extended permit icmp any any source-quench





并应用到相应的接口即可
access-group out_in in interface outside_mobile
access-group out_in in interface outside_tel
access-group out_in in interface mobile_vpn
access-group out_in in interface tel_vpn