topic Re: ASA NAT/Traceroute Inside to Outside Issues in Network Security

ASA NAT/Traceroute Inside to Outside Issues

hiltonstroud — Tue, 12 Mar 2019 01:47:05 GMT

Hi All,

Product in question: ASA5512-x in HA Active/Standby Failover mode

When running a ping from the inside network to a device on the internet I recieve replies and all is good. However when running a traceroute from inside the network to a device on the internet I receive timeouts which look to be caused by a ACL deny rule, that being "outside/internet_access_in" If I quickly add an access rule for "outside/internet" incoming rule and allow any any with ICMP_Group then I get replies and the ACL is allowing it, however the replies for the traceroute are always the same, which is the device IP your tracing. I wouldn't think you would want an outside/internet incoming rule for this kind of service as it would open you up and kinda defeat the purpose of firewal etc.

To me it sounds like NAT is certainly causing some weirdness here, possilby they way it's setup...

The following is the explanation from the Deny message on syslog.

%ASA-4-106023: Deny protocol src 
[interface_name:source_address/source_port] [([idfw_user|FQDN_string], sg_info)] 
dst interface_name:dest_address/dest_port [([idfw_user|FQDN_string], sg_info)] 
[type {string}, code {code}] by access_group acl_ID [0x8ed66b60, 0xf8852875]

A real IP packet was denied by the ACL. This message appears even if you do not have the log option enabled for an ACL. The IP address is the real IP address instead of the values that display through NAT. Both user identity information and FQDN information is provided for the IP addresses if a matched one is found. The ASA logs either identity information (domain\user) or FQDN (if the username is not available). If the identity information or FQDN is available, the ASA logs this information for both the source and destination.

Following are the 2 NAT rules in place at the moment - The first one was auto created when configuration a site-to-site VPN which is meant to tell the traffice over the VPN not to NAT.

nat (inside,internet) source static Private_Network_Classes Private_Network_Classes destination static Test_VPN_Site Test_VPN_Site no-proxy-arp route-lookup

nat (inside,internet) source dynamic any interface

I hope this gives some insight into the issue I am having and someone can suggest some fixes/reconfig's to work around this. It certainly hasn't been easy trying to explain what is occuring here in writting.

Thank you for your time.

ASA NAT/Traceroute Inside to Outside Issues

Jouni Forss — Wed, 22 May 2013 09:06:26 GMT

Hi,

Have you enabled ICMP Inspection?

For example

fixup protocol icmp

fixup protocol icmp error

Or you add them under the "policy-map" configurations along with the other "inspect"

inspect icmp

inspect icmp error

I remember reading on these forums that this might be some bug.

- Jouni

Re: ASA NAT/Traceroute Inside to Outside Issues

hiltonstroud — Wed, 22 May 2013 23:57:46 GMT

Hi Jouni,

Yes I beleive ICMP Inspecition is enabled, for both ICMP and ICMP error, I see this in the ASDM and on CLI, see below

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

inspect icmp

inspect icmp error

-----------------------------------------------------------------------------------------------------------------------

I have not run the "fixup protocol icmp" - I am not sure what this is?

EIDT: After a quick look into this fixup protocol I see it's the same as enabling the inspect icmp & icmp error as shown above, well from what I understand, please correct me if I am wrong.

ASA NAT/Traceroute Inside to Outside Issues

Jouni Forss — Thu, 23 May 2013 07:14:17 GMT

Hi,

To my understanding there shouldnt be many things preventing traceroute through the firewall.

Usually its related to the Inspections and/or lacking the ACL statements on the "outside" interface which allow echo-reply, time-exceeded and unreachable messages.

Could you post some exact Syslog messages when a ICMP message is blocked? (Can naturally mask the public IP addresses) To my understanding the ASA is at the moment blocking the messages that the routers in between the destination and the source are sending to the source host behind the ASA.

One other usual problem regarding ASA and traceroute is also the fact that the ASA doesnt show up on the traceroute. IF that is required you will also need some additional configurations.

There is also the possibility that you are running into some software bug. To try to determine that we would need to know your current software level.

And regarding the "fixup" commands. These are the predecessor of "inspect" on old Cisco PIX firewalls. The ASAs still seem to support these old commands but ASA will convert the commands to "inspect" configurations. Sometimes its just faster and easier to use the "fixup" command to insert the configuration than going under the "policy-map" configurations.

- Jouni

ASA NAT/Traceroute Inside to Outside Issues

Julio Carvajal — Thu, 23 May 2013 16:36:38 GMT

Hello,

Have to agree with Jouni,

When we see this issues the command that fix it is the "fixup protocol icmp error" but it seems that it's doing nothing here,

So I would say captures on the inside and outside plus logs would allow a better troubleshooting here,

Can you share the show service-policy ( did you perform a clear local-host after entering the fixup protocol icmp and icmp error?

Re: ASA NAT/Traceroute Inside to Outside Issues

hiltonstroud — Mon, 27 May 2013 00:25:49 GMT

Hi Jouni,

I would agree with your comments as well after obtaining better understanding of the issue myself with your support.

As per request below is exact syslog message from traceroute.

6|May 27 2013|10:19:01|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1

6|May 27 2013|10:18:59|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1

6|May 27 2013|10:18:55|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1

6|May 27 2013|10:18:51|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1

6|May 27 2013|10:18:47|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1

4|May 27 2013|10:18:45|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]

6|May 27 2013|10:18:43|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1

4|May 27 2013|10:18:41|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]

6|May 27 2013|10:18:39|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1

4|May 27 2013|10:18:37|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]

6|May 27 2013|10:18:35|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1

4|May 27 2013|10:18:33|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]

6|May 27 2013|10:18:31|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1

4|May 27 2013|10:18:29|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]

6|May 27 2013|10:18:27|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1

4|May 27 2013|10:18:25|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]

6|May 27 2013|10:18:23|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1

4|May 27 2013|10:18:21|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]

6|May 27 2013|10:18:19|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1

4|May 27 2013|10:18:17|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]

6|May 27 2013|10:18:15|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1

4|May 27 2013|10:18:13|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]

6|May 27 2013|10:18:11|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1

4|May 27 2013|10:18:09|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]

6|May 27 2013|10:18:07|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1

4|May 27 2013|10:18:05|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]

6|May 27 2013|10:18:03|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1

4|May 27 2013|10:18:01|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]

6|May 27 2013|10:17:59|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1

4|May 27 2013|10:17:57|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]

6|May 27 2013|10:17:55|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1

4|May 27 2013|10:17:53|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]

6|May 27 2013|10:17:51|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1

4|May 27 2013|10:17:49|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]

6|May 27 2013|10:17:47|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1

4|May 27 2013|10:17:45|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]

6|May 27 2013|10:17:43|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1

4|May 27 2013|10:17:41|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]

6|May 27 2013|10:17:39|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1

4|May 27 2013|10:17:37|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]

6|May 27 2013|10:17:35|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1

4|May 27 2013|10:17:33|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]

6|May 27 2013|10:17:31|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1

4|May 27 2013|10:17:29|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]

6|May 27 2013|10:17:27|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1

4|May 27 2013|10:17:25|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]

6|May 27 2013|10:17:23|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1

4|May 27 2013|10:17:21|106023|x.x.x.x.144||172.18.20.12||Deny icmp src internet:x.x.x.x.144 dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]

6|May 27 2013|10:17:19|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1

4|May 27 2013|10:17:17|106023|x.x.x.x.144||172.18.20.12||Deny icmp src internet:x.x.x.x.144 dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]

6|May 27 2013|10:17:15|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1

4|May 27 2013|10:17:13|106023|x.x.x.x.144||172.18.20.12||Deny icmp src internet:x.x.x.x.144 dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]

6|May 27 2013|10:17:11|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1

4|May 27 2013|10:17:09|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]

6|May 27 2013|10:17:07|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1

4|May 27 2013|10:17:05|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]

6|May 27 2013|10:17:03|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1

4|May 27 2013|10:17:01|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]

6|May 27 2013|10:16:59|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1

4|May 27 2013|10:16:57|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]

6|May 27 2013|10:16:55|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1

4|May 27 2013|10:16:53|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]

6|May 27 2013|10:16:51|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1

4|May 27 2013|10:16:49|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]

6|May 27 2013|10:16:47|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1

4|May 27 2013|10:16:45|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]

6|May 27 2013|10:16:43|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1

4|May 27 2013|10:16:41|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]

6|May 27 2013|10:16:39|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1

4|May 27 2013|10:16:37|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]

6|May 27 2013|10:16:35|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1

4|May 27 2013|10:16:33|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]

6|May 27 2013|10:16:31|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1

4|May 27 2013|10:16:29|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]

6|May 27 2013|10:16:27|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1

4|May 27 2013|10:16:25|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]

6|May 27 2013|10:16:23|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1

4|May 27 2013|10:16:21|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]

6|May 27 2013|10:16:19|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1

4|May 27 2013|10:16:17|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]

6|May 27 2013|10:16:15|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1

4|May 27 2013|10:16:13|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]

6|May 27 2013|10:16:11|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1

4|May 27 2013|10:16:09|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]

6|May 27 2013|10:16:07|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1

4|May 27 2013|10:16:05|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]

6|May 27 2013|10:16:03|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1

4|May 27 2013|10:16:01|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]

6|May 27 2013|10:15:59|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1

4|May 27 2013|10:15:57|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]

6|May 27 2013|10:15:55|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1

4|May 27 2013|10:15:53|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]

6|May 27 2013|10:15:51|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1

4|May 27 2013|10:15:49|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]

6|May 27 2013|10:15:47|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1

4|May 27 2013|10:15:45|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]

6|May 27 2013|10:15:43|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1

4|May 27 2013|10:15:41|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]

6|May 27 2013|10:15:39|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1

4|May 27 2013|10:15:37|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]

6|May 27 2013|10:15:35|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1

4|May 27 2013|10:15:33|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]

6|May 27 2013|10:15:31|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1

4|May 27 2013|10:15:29|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]

6|May 27 2013|10:15:27|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1

4|May 27 2013|10:15:25|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]

6|May 27 2013|10:00:02|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1

4|May 27 2013|10:00:00|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]

6|May 27 2013|09:59:57|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1

4|May 27 2013|09:59:55|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]

6|May 27 2013|09:59:53|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1

4|May 27 2013|09:59:51|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]

6|May 27 2013|09:59:50|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1

4|May 27 2013|09:59:48|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]

Software Version:

Cisco Adaptive Security Appliance Software Version 9.0(1)

Device Manager Version 7.1(3)

Re: ASA NAT/Traceroute Inside to Outside Issues

hiltonstroud — Mon, 27 May 2013 00:34:52 GMT

Hi Jcarvaja,

I have not perfomed a "clear local-host" after entering the fixup protocol commands. May I ask what this command is and what it may do to fix the issue, I would like to understand it.

As requested below is output from "show service-policy"

Global policy:

Service-policy: global_policy

Class-map: inspection_default

Inspect: dns preset_dns_map, packet 662143, lock fail 0, drop 14018, reset-drop 0, v6-fail-close 0

Inspect: ftp, packet 17758, lock fail 0, drop 0, reset-drop 0, v6-fail-close 0

Inspect: h323 h225 _default_h323_map, packet 0, lock fail 0, drop 0, reset-drop 0, v6-fail-close 0