topic Re: Enabling Traceroute in ASA in Network Security

Enabling Traceroute in ASA

johnlloyd_13 — Tue, 12 Mar 2019 03:01:16 GMT

hi all,

i've enabled traceroute on my ASA 5505 and behind is another router.

the problem is the two device's traceroute aren't the same. i want a similar output on the ASA.

is this normal or was there something i've missed?

1841#trace www.google.com

Translating "www.google.com"...domain server (8.8.8.8) [OK]

Type escape sequence to abort.

Tracing the route to www.google.com (173.194.117.50)

1 172.16.1.1 4 msec * 0 msec <<< ASA GW

2 www.google.com (173.194.117.50) 0 msec 0 msec 4 msec

3 www.google.com (173.194.117.50) 8 msec 8 msec 12 msec

4 www.google.com (173.194.117.50) 16 msec 12 msec 12 msec

5 www.google.com (173.194.117.50) 16 msec 16 msec 16 msec

6 www.google.com (173.194.117.50) 12 msec 12 msec 20 msec

7 www.google.com (173.194.117.50) 16 msec 12 msec 52 msec

8 www.google.com (173.194.117.50) [MPLS: Label 16040 Exp 0] 12 msec 12 msec 12 msec

9 www.google.com (173.194.117.50) 12 msec 12 msec 12 msec

10 www.google.com (173.194.117.50) 12 msec 12 msec 12 msec

11 www.google.com (173.194.117.50) 12 msec 12 msec 12 msec

12 www.google.com (173.194.117.50) 16 msec 12 msec 12 msec

13 www.google.com (173.194.117.50) 16 msec 12 msec 8 msec

ASA5505# trace www.google.com

Type escape sequence to abort.

Tracing the route to 173.194.117.49

1 192.168.1.1 0 msec 0 msec 0 msec <<< ANOTHER ROUTER CONNECTED TO CABLE MODEM

2 cm1.delta104.maxonline.com.sg (59.x.x.1) 10 msec 10 msec 20 msec

3 172.20.43.1 10 msec 10 msec 10 msec

4 172.26.43.1 10 msec 30 msec 20 msec

5 172.20.7.106 20 msec 10 msec 10 msec

6 203.117.36.89 10 msec 10 msec 10 msec

7 203.117.36.25 30 msec 10 msec 10 msec

8 203.117.36.18 20 msec 10 msec 10 msec

9 72.14.196.189 20 msec 10 msec 10 msec

10 66.249.95.122 10 msec 10 msec 20 msec

11 209.85.244.115 10 msec 10 msec 10 msec

12 www.google.com (173.194.117.49) 20 msec 10 msec 20 msec

ASA5505# sh run policy-map

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

inspect icmp

class class-default

set connection decrement-ttl

ASA5505# sh run access-list

access-list OUTSIDE-IN extended permit icmp any 172.16.0.0 255.255.0.0 echo

access-list OUTSIDE-IN extended permit tcp any 172.16.0.0 255.255.0.0 eq ssh

access-list OUTSIDE-IN extended permit icmp any any time-exceeded

access-list OUTSIDE-IN extended permit icmp any any unreachable

Enabling Traceroute in ASA

Jouni Forss — Wed, 06 Nov 2013 17:54:03 GMT

Hi,

Could you start by trying to add the following and see if it helps

policy-map global_policy

class inspection_default

inspect icmp error

This to my understanding is meant for the ICMP related messages that the devices in between your actual trace/icmp target send.

- Jouni

Enabling Traceroute in ASA

johnlloyd_13 — Wed, 06 Nov 2013 17:59:46 GMT

jouni,

you're a genius! thanks a lot!

1841#trace www.google.com

Translating "www.google.com"...domain server (8.8.8.8) [OK]

Type escape sequence to abort.

Tracing the route to www.google.com (173.194.117.51)

1 172.16.1.1 4 msec * 0 msec

2 192.168.1.1 0 msec 0 msec 0 msec

3 cm1.delta104.maxonline.com.sg (59.x.x.1) 12 msec 56 msec 12 msec

4 172.20.43.1 8 msec 12 msec 12 msec

5 172.26.43.1 16 msec 16 msec 16 msec

6 172.20.7.114 16 msec 12 msec 12 msec

7 203.117.36.89 12 msec 12 msec 16 msec

8 203.117.36.21 [MPLS: Label 16183 Exp 0] 12 msec 12 msec 12 msec

9 203.117.37.22 12 msec 12 msec 12 msec

10 72.14.220.142 28 msec 20 msec 16 msec

11 209.85.243.156 16 msec 16 msec 16 msec

12 209.85.244.115 16 msec 16 msec 16 msec

13 www.google.com (173.194.117.51) 16 msec 16 msec 16 msec

Enabling Traceroute in ASA

Jouni Forss — Wed, 06 Nov 2013 18:05:20 GMT

Hi,

Glad to hear its working now.

I see that you originally used the configuration that decrements the TTL which essentially enabled the ASA to show in the traceroute.

If you want to check a better explanation of the "inspect icmp error" configuration then you can check here in the Command Reference. The information is contained in the "Usage Guidelines" section there.

http://www.cisco.com/en/US/docs/security/asa/command-reference/i2.html#wp1760544

Also this is an old document that handles this subject

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml

There is section for both getting the firewall to show up in the traceroute and also make the traceroute work through the firewall

- Jouni

Re: Enabling Traceroute in ASA

johnlloyd_13 — Wed, 06 Nov 2013 18:42:56 GMT

Yes, I was trying out that command but it gave me a different output as I described earlier.

Thanks for the links! Will go over these. I had too much ASA for the day but it was a fun learning experience!

So is it safe to say I could remove these:

class class-default
set connection decrement-ttl
!
access-list OUTSIDE-IN extended permit icmp any any time-exceeded
access-list OUTSIDE-IN extended permit icmp any any unreachable

Or they're needed for making traceroute work?

Sent from Cisco Technical Support iPhone App

Enabling Traceroute in ASA

Jouni Forss — Wed, 06 Nov 2013 18:50:26 GMT

Hi,

I think you need those still.

To my understanding the "inspect icmp error" helps with the traceroute that is done from a host that uses Dynamic PAT translation towards the Internet.

You should still need those ACL rules.

- Jouni