topic Hello,I know this has been a in Network Security

ASA ICMP 11 traceroute return traffic (hops)

gbudesheim — Tue, 12 Mar 2019 03:22:06 GMT

I currently am trying to set up an ACL to allow only type 11 ICMP messages back through the outside interface of our ASA using specific hosts and destination addresses. Currently I have two object groups set up with internal address (object group 1) and external specified hosts (internet). Also my global policies are set to allow icmp traffic to be inspected. The issue im trying to resolve is when I trace to an internet site www.yahoo.com after leaving the ASA it starts to time out.

results and configs below

C:\Users>tracert www.yahoo.com

Tracing route to ds-any-fp3-real.wa1.b.yahoo.com [98.139.183.24]

over a maximum of 30 hops:

1 <1 ms <1 ms <1 ms x.x.x.x.

2 <1 ms <1 ms <1 ms x.x.x.x.

3 1 ms <1 ms <1 ms x.x.x.x.

4 <1 ms <1 ms <1 ms x.x.x.x.

5 1 ms 2 ms 1 ms x.x.x.x.

6 13 ms 5 ms 4 ms x.x.x.x.

7 9 ms 8 ms 8 ms x.x.x.x.

8 * * * Request timed out.

9 * * * Request timed out.

10 * * * Request timed out.

11 * * * Request timed out.

12 * * * Request timed out.

13 * * * Request timed out.

14 * * * Request timed out.

15 * * * Request timed out.

16 * * * Request timed out.

17 * * * Request timed out.

18 * * * Request timed out.

19 * * * Request timed out.

20 * * * Request timed out.

21 * * * Request timed out.

22 * * * Request timed out.

23 * * * Request timed out.

24 * * * Request timed out.

25 * * * Request timed out.

26 * * * Request timed out.

27 * * * Request timed out.

28 * * * Request timed out.

29 36 ms * * ir2.fp.vip.bf1.yahoo.com [98.139.183.24]

30 130 ms 98 ms 66 ms ir2.fp.vip.bf1.yahoo.com [98.139.183.24]

object-group network objectgroup1

description -- these are the source addresses

network-object xx.xx.0.0 255.255.0.0

object-group network objectgroup2

description -- external hosts

network-object host xx.xx.xx.xx

access-list acl_outside extended permit icmp object-group objectgroup1 object-group objectgroup2 eq time-exceeded

class-map inspection_default

match default-inspection-traffic

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect ip-options

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

inspect icmp

How can I have the hosts in between show

ASA ICMP 11 traceroute return traffic (hops)

rajath4444 — Wed, 01 Jan 2014 23:04:19 GMT

Check this article

http://www.packetu.com/2009/10/09/traceroute-through-the-asa/

-Rajath

Hello,I know this has been a

adrianopinaffo1 — Thu, 21 Aug 2014 22:25:07 GMT

Hello,

I know this has been a long time ago, but I'm facing the same issue in the ASA. Weirdly enough, I can reach the destination using traceroute with no problem, but I can't see the path to it. I pasted the result below.

I also checked my ASA configuration and the only setting that is not present is the "match any " for the "class-map class_default", because when I enter "class-map class_default" I get the following warning:

ASA(config)# class-map class-default
ERROR: % class-default is a well-known class and is not configurable under class-map

Can you guys help me? I posted below the tracert output and the concerned configuration. I can't find the misfit and I already checked most of the configuration forums.

C:\>tracert www.google.com

Tracing route to www.google.com [173.194.79.104]
over a maximum of 30 hops:

1 <1 ms <1 ms <1 ms 10.0.0.1
2 * * * Request timed out.
3 * * * Request timed out.
4 * * * Request timed out.
5 * * * Request timed out.
6 * * * Request timed out.
7 * * * Request timed out.
8 * * * Request timed out.
9 * * * Request timed out.
10 * * * Request timed out.
11 * * * Request timed out.
12 * * * Request timed out.
13 * * * Request timed out.
14 * * * Request timed out.
15 * * * Request timed out.
16 * * * Request timed out.
17 * * * Request timed out.
18 * * * Request timed out.
19 * * * Request timed out.
20 * * * Request timed out.
21 * * * Request timed out.
22 * * * Request timed out.
23 212 ms 212 ms 212 ms pb-in-f104.1e100.net [173.194.79.104]

Trace complete.

---Router configuration

icmp unreachable rate-limit 10 burst-size 5
!
!
!
object-group service ICMP_Return
service-object icmp echo-reply
service-object icmp time-exceeded
service-object icmp traceroute
service-object icmp unreachable
service-object icmp6 echo-reply
service-object icmp6 time-exceeded
service-object icmp6 unreachable
!
!
!
access-list IF_outside_access_in remark ICMP Return
access-list IF_outside_access_in extended permit object-group ICMP_Return any any
!
!
!
access-group IF_outside_access_in in interface IF_outside
!
!
!
class-map class_default
!--- This does not exit -> match any
!
!
class-map inspection_default
match default-inspection-traffic
!
!
!
policy-map global_policy
class class-default
set connection decrement-ttl
service-policy global_policy global