topic How do I get traceroutes to work through ASA? in Network Security

topic How do I get traceroutes to work through ASA? in Network Security https://community.cisco.com/t5/network-security/how-do-i-get-traceroutes-to-work-through-asa/m-p/2315831#M310613 <HTML><HEAD></HEAD><BODY><P>That is right, as we are on 8.2 I have to add a NAT exempt so I keep my source IP.  The 172.30.2.0/24 subnet is just one example , 172.30.2.0/24 does have a route to 192.168.90.0/24 as I can ping everything.</P><P></P><P>The ASA has a route to a local Cisco router that is our WAN router.</P></BODY></HTML> Tue, 22 Oct 2013 14:30:37 GMT Andy White 2013-10-22T14:30:37Z How do I get traceroutes to work through ASA? https://community.cisco.com/t5/network-security/how-do-i-get-traceroutes-to-work-through-asa/m-p/2315818#M310596 <P>Hello,</P><P></P><P>We have a number of networks that go though our ASA, but we have never been able to run a traceroute even though we have ICMP any any running on each inerface.  When we try a tracert from a Windows PC to a remote destination like google it works, but if we try a trace through one of the subinterfaces off the ASA (DMZ) it doesn't work.</P><P></P><P>For example I try and trace a router on our WAN and it goes to our LAN switch which then forwards to the ASA and then it his a wall:</P><P></P><P></P><P>C:\Users\me>tracert 172.30.2.1 (remote WAN router)</P><P></P><P> <SPAN style="font-size: 10pt;">Tracing route to 172.30.2.1 over a maximum of 30 hop</SPAN></P><P> <SPAN style="font-size: 10pt;"> </SPAN></P><P>  1    <1 ms    <1 ms    <1 ms  192.168.90.254 (my gateway, whichis our core LAN switch)</P><P>  2     *             *        *     Request timed out.</P><P></P><P>I've never been able to solve this, any ideas?</P><P></P><P>Thanks</P> Tue, 12 Mar 2019 02:54:30 GMT https://community.cisco.com/t5/network-security/how-do-i-get-traceroutes-to-work-through-asa/m-p/2315818#M310596 Andy White 2019-03-12T02:54:30Z How do I get traceroutes to work through ASA? https://community.cisco.com/t5/network-security/how-do-i-get-traceroutes-to-work-through-asa/m-p/2315819#M310598 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Check the output of the following command on your ASA</P><P></P><P><STRONG>show run policy-map</STRONG></P><P></P><P>If its not present, add (if you are using the default configurations)</P><P></P><P>policy-map global_policy</P><P> class inspection_default</P><P><STRONG>  inspect icmp</STRONG></P><P><STRONG>  inspect icmp error</STRONG></P><P></P><P>You can also check this document to help with ICMP related configurations</P><P></P><P><A class="jive-link-external-small" href="http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml">http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml</A></P><P></P><P>Hope this helps <SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/4.5.4/images/emoticons/happy.gif"></SPAN></P><P></P><P>- Jouni</P></BODY></HTML> Tue, 22 Oct 2013 07:35:38 GMT https://community.cisco.com/t5/network-security/how-do-i-get-traceroutes-to-work-through-asa/m-p/2315819#M310598 Jouni Forss 2013-10-22T07:35:38Z How do I get traceroutes to work through ASA? https://community.cisco.com/t5/network-security/how-do-i-get-traceroutes-to-work-through-asa/m-p/2315820#M310600 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Thanks for the instant reply wow!</P><P></P><P>This is what I have, I think I most of it is our IPS.</P><P></P><P> sh run policy-map</P><P>!</P><P>policy-map type inspect dns migrated_dns_map_1</P><P> parameters</P><P>  message-length maximum 512</P><P>policy-map global_policy</P><P> class inspection_default</P><P>  inspect dns migrated_dns_map_1</P><P>  inspect h323 h225</P><P>  inspect h323 ras</P><P>  inspect rsh</P><P>  inspect rtsp</P><P>  inspect sqlnet</P><P>  inspect skinny</P><P>  inspect sunrpc</P><P>  inspect xdmcp</P><P>  inspect sip</P><P>  inspect netbios</P><P>  inspect ils</P><P>  inspect pptp</P><P>  inspect icmp error</P><P>  inspect ftp</P><P>  inspect tftp</P><P>  inspect icmp</P><P>  inspect http</P><P> class global-class</P><P>  flow-export event-type all destination 192.168.28.136</P><P>policy-map ME-DMZ6-IPS-POLICY</P><P> class ME-DMZ6-CLASS</P><P>  ips inline fail-open sensor vs0</P><P>policy-map ME-DMZ4-IPS-POLICY</P><P> class ME-DMZ4-CLASS</P><P>  ips inline fail-open sensor vs0</P><P>policy-map ME-OUTSIDE-IPS-POLICY</P><P> class ME-OUTSIDE-CLASS</P><P>  ips inline fail-open sensor vs0</P><P>policy-map ME-DIGI-WAN-IPS-POLICY</P><P> class ME-DIGI-WAN-CLASS</P><P>  ips inline fail-open sensor vs0</P><P>policy-map ME-DIGI-SYSTEMS-IPS-POLICY</P><P> class ME-DIGI-SYSTEMS-CLASS</P><P>  ips inline fail-open sensor vs0</P><P>policy-map ME-REC-IPS-POLICY</P><P> class ME-REC-CLASS</P><P>  ips inline fail-open sensor vs0</P><P>policy-map ME-DMZ10-IPS-CLASS</P><P> class ME-DMZ10-CLASS</P><P>  ips inline fail-open sensor vs0</P><P></P><P>So I can just add what you put above?</P><P></P><P>Thanks</P></BODY></HTML> Tue, 22 Oct 2013 07:44:08 GMT https://community.cisco.com/t5/network-security/how-do-i-get-traceroutes-to-work-through-asa/m-p/2315820#M310600 Andy White 2013-10-22T07:44:08Z How do I get traceroutes to work through ASA? https://community.cisco.com/t5/network-security/how-do-i-get-traceroutes-to-work-through-asa/m-p/2315821#M310602 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>You already seem to have the both ICMP Inspections enabled in the above configurations.</P><P></P><P>Make sure you have added the ACL rules to your external interface ACL</P><P></P><P><STRONG>access-list <ACL name=""> line 1 remark ICMP</ACL></STRONG></P><P><STRONG>access-list <ACL name=""> line 2 permit icmp any any echo-reply </ACL></STRONG></P><P><STRONG>access-list <ACL name=""> line 3 permit icmp any any time-exceeded </ACL></STRONG></P><P><STRONG>access-list <ACL name=""> line 4 permit icmp any any unreachable </ACL></STRONG></P><P></P><P>- Jouni</P></BODY></HTML> Tue, 22 Oct 2013 07:50:59 GMT https://community.cisco.com/t5/network-security/how-do-i-get-traceroutes-to-work-through-asa/m-p/2315821#M310602 Jouni Forss 2013-10-22T07:50:59Z How do I get traceroutes to work through ASA? https://community.cisco.com/t5/network-security/how-do-i-get-traceroutes-to-work-through-asa/m-p/2315822#M310603 <HTML><HEAD></HEAD><BODY><P>Just added those to the inside interface <SPAN style="font-size: 10pt;">(where I am) </SPAN><SPAN style="font-size: 10pt;">and DMZ6 where 172.30.2.1 is and no luck.</SPAN></P><P></P><P><SPAN style="font-size: 10pt;">This is what I see (sorry I use the ASDM but am learnig the CLI more):</SPAN></P><P></P><P>access-list DMZ6_WAN_access_in line 137 extended permit object-group DM_INLINE_SERVICE_36 any any 0xeba5b318</P><P>  access-list DMZ6_WAN_access_in line 137 extended permit icmp any any (hitcnt=4884) 0xf1f06367</P><P>  access-list DMZ6_WAN_access_in line 137 extended permit icmp any any echo-reply (hitcnt=0) 0x0afc9265</P><P>  access-list DMZ6_WAN_access_in line 137 extended permit icmp any any time-exceeded (hitcnt=0) 0x36a14417</P><P>  access-list DMZ6_WAN_access_in line 137 extended permit icmp any any unreachable (hitcnt=0) 0x3140b5ca</P><P></P><P>access-list inside_access_in line 292 extended permit object-group DM_INLINE_SERVICE_37 any any 0x5d4fd23c</P><P>  access-list inside_access_in line 292 extended permit icmp any any (hitcnt=6751) 0xd6183fb5</P><P>  access-list inside_access_in line 292 extended permit icmp any any echo-reply (hitcnt=0) 0xb2f4960f</P><P>  access-list inside_access_in line 292 extended permit icmp any any time-exceeded (hitcnt=0) 0x64438bdb</P><P>  access-list inside_access_in line 292 extended permit icmp any any unreachable (hitcnt=0) 0xa5dece3d</P><P></P><P>Thanks</P><P><SPAN style="font-size: 10pt;"><BR /></SPAN></P></BODY></HTML> Tue, 22 Oct 2013 08:12:25 GMT https://community.cisco.com/t5/network-security/how-do-i-get-traceroutes-to-work-through-asa/m-p/2315822#M310603 Andy White 2013-10-22T08:12:25Z How do I get traceroutes to work through ASA? https://community.cisco.com/t5/network-security/how-do-i-get-traceroutes-to-work-through-asa/m-p/2315823#M310605 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>These should be added to the interface ACL that is attached to your ASA interface thats connected to the Internet. These ACL rules allow the reply messages from devices between the path to the device to which you are tracing the route.</P><P></P><P>- Jouni</P></BODY></HTML> Tue, 22 Oct 2013 08:17:38 GMT https://community.cisco.com/t5/network-security/how-do-i-get-traceroutes-to-work-through-asa/m-p/2315823#M310605 Jouni Forss 2013-10-22T08:17:38Z How do I get traceroutes to work through ASA? https://community.cisco.com/t5/network-security/how-do-i-get-traceroutes-to-work-through-asa/m-p/2315824#M310606 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Same issue, athough the WAN link isn't over the internet.  I can do traces already to sites over the internet for example to google.</P><P></P><P>Off the ASA I have a trunk to a 3750 which has all the VLANs to these WAN sites and other VLANs and none can be traced, pings are fine.  I have to create subinterfaces off the ASA and add them to the trunk, I assume it is the ASA, but maybe not now.</P></BODY></HTML> Tue, 22 Oct 2013 08:32:08 GMT https://community.cisco.com/t5/network-security/how-do-i-get-traceroutes-to-work-through-asa/m-p/2315824#M310606 Andy White 2013-10-22T08:32:08Z How do I get traceroutes to work through ASA? https://community.cisco.com/t5/network-security/how-do-i-get-traceroutes-to-work-through-asa/m-p/2315825#M310607 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>To be honest I am not sure I can see what the problem is with the above information.</P><P></P><P>The already provided commands and link to the document is usually the ones required to get this working.</P><P></P><P>You can always test ICMP through ASA with <STRONG>"packet-tracer"</STRONG> command to check that the initial direction to your destination network/host is atleast allowed</P><P></P><P><STRONG>packet-tracer input <INPUT interface="" nameif="" /> icmp <SOURCE ip=""> 8 0 <DESTINATION ip=""></DESTINATION></SOURCE></STRONG></P><P></P><P>- Jouni</P></BODY></HTML> Tue, 22 Oct 2013 09:17:13 GMT https://community.cisco.com/t5/network-security/how-do-i-get-traceroutes-to-work-through-asa/m-p/2315825#M310607 Jouni Forss 2013-10-22T09:17:13Z How do I get traceroutes to work through ASA? https://community.cisco.com/t5/network-security/how-do-i-get-traceroutes-to-work-through-asa/m-p/2315826#M310608 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Here are the results,</P><P></P><P>Result:</P><P>input-interface: inside</P><P>input-status: up</P><P>input-line-status: up</P><P>output-interface: DMZ6_WAN</P><P>output-status: up</P><P>output-line-status: up</P><P>Action: allow</P><P></P><P>I just put a laptop on the otherside of the ASA just to prove the trace works to the WAN router and it did, so it definately is the ASA.</P><P></P><P>Oh well, thanks for you time on this it was most appreciated.</P><P></P><P>Thanks </P></BODY></HTML> Tue, 22 Oct 2013 13:04:34 GMT https://community.cisco.com/t5/network-security/how-do-i-get-traceroutes-to-work-through-asa/m-p/2315826#M310608 Andy White 2013-10-22T13:04:34Z How do I get traceroutes to work through ASA? https://community.cisco.com/t5/network-security/how-do-i-get-traceroutes-to-work-through-asa/m-p/2315827#M310609 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>I am not sure if the above partial output tells me anything. And I am not sure of at the actual network layout and where the source and destination are with regards to it and what configurations/rules are applied to the traffic between them.</P><P></P><P>The ASA itself doesnt show up in the traceroute by default. That can be changed with the instructions on the document I linked. Though I usually leave the ASAs at their default setting regarding this that they dont show up in the traceroute.</P><P></P><P>I would also monitor the logs while doing the traceroute for example through the ASDM and see if ASA is blocking any of the replys from the devices behind the ASA:</P><P></P><P>- Jouni</P></BODY></HTML> Tue, 22 Oct 2013 13:10:28 GMT https://community.cisco.com/t5/network-security/how-do-i-get-traceroutes-to-work-through-asa/m-p/2315827#M310609 Jouni Forss 2013-10-22T13:10:28Z How do I get traceroutes to work through ASA? https://community.cisco.com/t5/network-security/how-do-i-get-traceroutes-to-work-through-asa/m-p/2315828#M310610 <HTML><HEAD></HEAD><BODY><P>Sorry for the lack of output this is what I got:</P><P></P><P>I upped the logging level, but didn't get anything show as blocked on my syslog server:</P><P></P><P> packet-tracer input inside icmp 192.168.90.11 8 0 172.30.2.1</P><P></P><P></P><P>Phase: 1</P><P>Type: ROUTE-LOOKUP</P><P>Subtype: input</P><P>Result: ALLOW</P><P>Config:</P><P>Additional Information:</P><P>in   172.30.2.0      255.255.255.0   DMZ6_WAN</P><P></P><P></P><P>Phase: 2</P><P>Type: ROUTE-LOOKUP</P><P>Subtype: input</P><P>Result: ALLOW</P><P>Config:</P><P>Additional Information:</P><P>in   192.168.90.0    255.255.255.0   inside</P><P></P><P></P><P>Phase: 3</P><P>Type: ACCESS-LIST</P><P>Subtype: log</P><P>Result: ALLOW</P><P>Config:</P><P>access-group inside_access_in in interface inside</P><P>access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_37 any any</P><P>object-group service DM_INLINE_SERVICE_37</P><P> service-object icmp</P><P> service-object icmp echo-reply</P><P> service-object icmp time-exceeded</P><P> service-object icmp unreachable</P><P>Additional Information:</P><P></P><P></P><P>Phase: 4</P><P>Type: IP-OPTIONS</P><P>Subtype:</P><P>Result: ALLOW</P><P>Config:</P><P>Additional Information:</P><P></P><P></P><P>Phase: 5</P><P>Type: INSPECT</P><P>Subtype: np-inspect</P><P>Result: ALLOW</P><P>Config:</P><P>Additional Information:</P><P></P><P></P><P>Phase: 6</P><P>Type: INSPECT</P><P>Subtype: np-inspect</P><P>Result: ALLOW</P><P>Config:</P><P>class-map inspection_default</P><P> match default-inspection-traffic</P><P>policy-map global_policy</P><P> class inspection_default</P><P>  inspect icmp error</P><P>service-policy global_policy global</P><P>Additional Information:</P><P></P><P></P><P>Phase: 7</P><P>Type:</P><P>Subtype:</P><P>Result: ALLOW</P><P>Config:</P><P>Additional Information:</P><P></P><P></P><P>Phase: 8</P><P>Type: NAT-EXEMPT</P><P>Subtype:</P><P>Result: ALLOW</P><P>Config:</P><P>  match ip inside host 192.168.90.11 DMZ6_WAN 172.30.2.0 255.255.255.0</P><P>    NAT exempt</P><P>    translate_hits = 236539, untranslate_hits = 0</P><P>Additional Information:</P><P></P><P></P><P>Phase: 9</P><P>Type: NAT</P><P>Subtype:</P><P>Result: ALLOW</P><P>Config:</P><P>nat (inside) 1 0.0.0.0 0.0.0.0</P><P>  match ip inside any DMZ6_WAN any</P><P>    dynamic translation to pool 1 (No matching global)</P><P>    translate_hits = 21268, untranslate_hits = 0</P><P>Additional Information:</P><P></P><P></P><P>Phase: 10</P><P>Type: NAT</P><P>Subtype: host-limits</P><P>Result: ALLOW</P><P>Config:</P><P>nat (inside) 1 0.0.0.0 0.0.0.0</P><P>  match ip inside any outside any</P><P>    dynamic translation to pool 1 (81.171.56.166 [Interface PAT])</P><P>    translate_hits = 105683296, untranslate_hits = 13170795</P><P>Additional Information:</P><P></P><P></P><P>Phase: 11</P><P>Type: NAT</P><P>Subtype: host-limits</P><P>Result: ALLOW</P><P>Config:</P><P>nat (DMZ6_WAN) 1 0.0.0.0 0.0.0.0</P><P>  match ip DMZ6_WAN any outside any</P><P>    dynamic translation to pool 1 (81.171.56.166 [Interface PAT])</P><P>    translate_hits = 6954867, untranslate_hits = 951791</P><P>Additional Information:</P><P></P><P></P><P>Phase: 12</P><P>Type: IP-OPTIONS</P><P>Subtype:</P><P>Result: ALLOW</P><P>Config:</P><P>Additional Information:</P><P></P><P></P><P>Phase: 13</P><P>Type: FLOW-CREATION</P><P>Subtype:</P><P>Result: ALLOW</P><P>Config:</P><P>Additional Information:</P><P>New flow created with id 1912800586, packet dispatched to next module</P><P></P><P></P><P>Result:</P><P>input-interface: inside</P><P>input-status: up</P><P>input-line-status: up</P><P>output-interface: DMZ6_WAN</P><P>output-status: up</P><P>output-line-status: up</P><P>Action: allow</P></BODY></HTML> Tue, 22 Oct 2013 13:40:37 GMT https://community.cisco.com/t5/network-security/how-do-i-get-traceroutes-to-work-through-asa/m-p/2315828#M310610 Andy White 2013-10-22T13:40:37Z How do I get traceroutes to work through ASA? https://community.cisco.com/t5/network-security/how-do-i-get-traceroutes-to-work-through-asa/m-p/2315829#M310611 <HTML><HEAD></HEAD><BODY><P>Hi</P><P></P><P>This is the way to allow traceroute through the ASA firewall: </P><P></P><P></P><P><STRONG>Enable TTL decrement:</STRONG></P><P></P><P>  policy-map global_policy </P><P>    class class-default</P><P>    set connection decrement-ttl </P><P></P><P></P><P><STRONG>Adjust icmp timeouts:</STRONG></P><P></P><P>  icmp unreachable rate-limit 5 burst-size 5</P><P></P><P></P><P><STRONG>On interface access-lists permit UDP packets:</STRONG></P><P></P><P>  access-list outside-in permit udp any any gt 33433.  (or range 33434 to 33464)</P><P></P><P></P><P></P><P>Regards</P><P></P><P>/Peter</P></BODY></HTML> Tue, 22 Oct 2013 13:58:46 GMT https://community.cisco.com/t5/network-security/how-do-i-get-traceroutes-to-work-through-asa/m-p/2315829#M310611 ppejjorgensen 2013-10-22T13:58:46Z How do I get traceroutes to work through ASA? https://community.cisco.com/t5/network-security/how-do-i-get-traceroutes-to-work-through-asa/m-p/2315830#M310612 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Your full output of the <STRONG>"packet-tracer"</STRONG> would indicate that there is a NAT0 configuration that is applied to this traffic.</P><P></P><P>In other words the source address 192.168.90.11 will not be NATed when connecting towards subnet 172.30.2.0/24</P><P></P><P>Does the hosts on subnet 172.30.2.0/24 have a route to reach network 192.168.90.0/24 through the ASA? (since there is no NAT configured for the network 192.168.90.0/24) Or is the subnet 172.30.2.0/24 perhaps directly connected to the ASA and the ASA is set as the default gateway out of that network?</P><P></P><P>- Jouni</P></BODY></HTML> Tue, 22 Oct 2013 14:24:14 GMT https://community.cisco.com/t5/network-security/how-do-i-get-traceroutes-to-work-through-asa/m-p/2315830#M310612 Jouni Forss 2013-10-22T14:24:14Z How do I get traceroutes to work through ASA? https://community.cisco.com/t5/network-security/how-do-i-get-traceroutes-to-work-through-asa/m-p/2315831#M310613 <HTML><HEAD></HEAD><BODY><P>That is right, as we are on 8.2 I have to add a NAT exempt so I keep my source IP.  The 172.30.2.0/24 subnet is just one example , 172.30.2.0/24 does have a route to 192.168.90.0/24 as I can ping everything.</P><P></P><P>The ASA has a route to a local Cisco router that is our WAN router.</P></BODY></HTML> Tue, 22 Oct 2013 14:30:37 GMT https://community.cisco.com/t5/network-security/how-do-i-get-traceroutes-to-work-through-asa/m-p/2315831#M310613 Andy White 2013-10-22T14:30:37Z How do I get traceroutes to work through ASA? https://community.cisco.com/t5/network-security/how-do-i-get-traceroutes-to-work-through-asa/m-p/2315832#M310614 <HTML><HEAD></HEAD><BODY><P>Get this error.</P><P></P><P>(config)# class class-default</P><P>ERROR: % class-default is a well-known class and is not configurable under class-map</P></BODY></HTML> Tue, 22 Oct 2013 14:31:49 GMT https://community.cisco.com/t5/network-security/how-do-i-get-traceroutes-to-work-through-asa/m-p/2315832#M310614 Andy White 2013-10-22T14:31:49Z How do I get traceroutes to work through ASA? https://community.cisco.com/t5/network-security/how-do-i-get-traceroutes-to-work-through-asa/m-p/2315833#M310615 <HTML><HEAD></HEAD><BODY><P>I read that using <SPAN style="font-size: 10pt;">icmp fixup and icmp fixup error has worked, is this included under the default icmp inspect as I can't find this?</SPAN></P></BODY></HTML> Tue, 22 Oct 2013 14:42:58 GMT https://community.cisco.com/t5/network-security/how-do-i-get-traceroutes-to-work-through-asa/m-p/2315833#M310615 Andy White 2013-10-22T14:42:58Z How do I get traceroutes to work through ASA? https://community.cisco.com/t5/network-security/how-do-i-get-traceroutes-to-work-through-asa/m-p/2315834#M310616 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>The below configuration commands</P><P></P><P><STRONG>fixup protocol icmp</STRONG></P><P><STRONG>fixup protocol icmp error</STRONG></P><P></P><P>are the old command format which is still supported but in newer software they will be converted to </P><P></P><P><STRONG>inspect icmp</STRONG></P><P><STRONG>inspect icmp error</STRONG></P><P></P><P>which were already in your configuration</P><P></P><P>- Jouni</P></BODY></HTML> Tue, 22 Oct 2013 14:53:54 GMT https://community.cisco.com/t5/network-security/how-do-i-get-traceroutes-to-work-through-asa/m-p/2315834#M310616 Jouni Forss 2013-10-22T14:53:54Z