topic traceroute from the switch directly connected via inside in Network Security

traceroute from the switch directly connected via inside

M Mohammed — Fri, 21 Feb 2020 15:12:35 GMT

i can traceroute 8.8.8.8 from fw

fw/pri/act# traceroute 8.8.8.8

Type escape sequence to abort.
Tracing the route to 8.8.8.8

1 x.x.x.x0 msec 0 msec 0 msec
2 * *
x.14.214.71 0 msec
3 x.14.214.70 0 msec 10 msec 0 msec
4 x.170.246.225 0 msec * 0 msec
5 x.170.233.223 0 msec
x.14.237.179 0 msec
x.14.234.157 0 msec
6 google-public-dns-a.google.com (8.8.8.8) 0 msec 0 msec 10 msec

but when i do source of inside it does not work

fw/pri/act# traceroute 8.8.8.8 source inside

Type escape sequence to abort.
Tracing the route to 8.8.8.8

1 * * *
2 * * *
3 * * *

any advise

Re: traceroute from the switch directly connected via inside

Marvin Rhoads — Sat, 27 Jan 2018 14:47:42 GMT

You cannot generally source traffic from one ASA interface to exit another one.

Re: traceroute from the switch directly connected via inside

Florin Barhala — Wed, 14 Mar 2018 13:33:48 GMT

Hi Marvin,

Can you detail your answer here please?

I need to run traceroute to IP_dst using as source another ASA interface, let's call it inside.

Isn't this possible? If not why does traceroute command on ASA have source option?

If I am not clear:

- ASA 9.6.x

- ASA interfaces: lan_data, lan_voice, outside

- show route | 1.2.3.4

S* 1.2.3.4 255.255.255.255 [1/0] via outside_interconnect_IP, outside

I need to run: traceroute 1.2.3.4 source lan_data

Thanks!

Re: traceroute from the switch directly connected via inside

Marvin Rhoads — Sat, 17 Mar 2018 04:52:11 GMT

As far as I know, traceroute on an ASA will always be sourced from the interface that has the best route to the destination.

~~That's why there's no way to specify the source address.~~

Re: traceroute from the switch directly connected via inside

Florin Barhala — Wed, 14 Mar 2018 13:44:15 GMT

Ok now I am really puzzled. First of all thanks for the lighting fast reply!
Now on ASA I have this menu:

traceroute 1.2.3.4 ?

numeric display numeric address
port specify port number
probe specify number of probes per hop
source specify source address or interface
timeout specify time out
ttl specify minimum and maximum ttl/hop-limit
use-icmp use ICMP probe packets
<cr>
traceroute 1.2.3.4 source ?

A.B.C.D Source address
Current available interface(s):
lan_data Name of interface GigabitEthernet0/0
lan_voice Name of interface GigabitEthernet0/1
outside Name of interface GigabitEthernet0/2

What do you make of it?

Re: traceroute from the switch directly connected via inside

Florin Barhala — Fri, 16 Mar 2018 11:00:50 GMT

Marvin, did you manage to read my previous reply here?
I am still stuck to create a TAC case for couple weeks so if you have any idea - thanks in advance!

Re: traceroute from the switch directly connected via inside

Marvin Rhoads — Sat, 17 Mar 2018 04:54:08 GMT

I'm not sure at this point. I amended my earlier reply to reflect my doubt and take into account the option you pointed out.

Why not just use an actual traceroute from the next hop inside? Or, failing that, a packet-tracer on the ASA?

Re: traceroute from the switch directly connected via inside

Florin Barhala — Mon, 19 Mar 2018 10:17:59 GMT

Packet tracer indicates that packet is allowed.
Now since this is an ongoing issue and involves customer connectivity I was asked to provide a traceroute so everyone involved can see the hops "before the issue".

Since this is happening on lan_voice (only phones sit there) I am left with:
1. Using ASA for traceroute dst_IP source lan_voice
2. Cable a PC on lan_voice Vlan and run "tracert -d dst_IP"

I had to use the latter but as you might guess this is time consuming hence this entire discussion: traceroute using ASA source IP from one connected interface.

Re: traceroute from the switch directly connected via inside

Marvin Rhoads — Mon, 19 Mar 2018 12:49:35 GMT

You could create an SVI on one of the switches that includes the lan_voice VLAN and traceroute from the switch using that as a source address.

You can also capture traffic from one of the devices having issues to demonstrate that the ASA is correctly handling the traffic.

Re: traceroute from the switch directly connected via inside

Florin Barhala — Mon, 19 Mar 2018 13:37:15 GMT

SVI on the switch might help. As we speak we are passed this, still my need to tshoot the FW at demand is still on.

As I said I will open a TAC case the moment I ll receive access to the service contracts.

Re: traceroute from the switch directly connected via inside

M Mohammed — Wed, 21 Mar 2018 13:07:16 GMT

@Florin Barhala

Please share the end result once you log the case with TAC

Many thanks