topic This works fine for getting in Network Security

Allow Traceroute through ASA

Justin Westover — Tue, 12 Mar 2019 01:13:29 GMT

We are running version 9.1 of ASA code. I am having trouble allowing traceroute through the ASA. I don't need the ASA to be a hop in that traceroute. I have issue the fixup commands for icmp and icmp error. I have allowed ICMP, Echo, Echo Reply, time-exceeded, and unreachables. But I still can't traceroute through the ASA. If I traceroute on the ASA and source from the outside interface it works, but not from the inside interface. Looking at the logs I don't see anything indicating a problem. Ping works, just not traceroute. I have tested from both a MAC and a PC since I know that both uses different methods when performing a traceroute. Both are unable to traceroute through the ASA.

Allow Traceroute through ASA

jocamare — Wed, 13 Mar 2013 04:28:52 GMT

Try

class class_default
  set connection decrement-ttl

Re: Allow Traceroute through ASA

Julio Carvajal — Wed, 13 Mar 2013 05:20:30 GMT

Hello Justin,

Hope you are having a great day.

First of all lets set the basics:

Linux and Cisco devices will send UDP packets to a pseudorandom port to build the network map, the reply will be an UDP ICMP Port-Unreachable

Windows use ICMP messages,with a TTL of 1 and then incrementing hop by hop. the reply will be a TTL Exceeded.

So Far so good right.

So on the Scenario you are showing us we can see the traceroute working as we can reach the destination but looks like some devices responses are not reaching us.. Why is that?

Well that is because we have the ASA in place and those particular ICMP message codes are not permited by default

So let's do the following:

access-list Julio permit icmp any any eq time-exceeded

access-list Julio permit icmp any any eq unreachable

access-group Julio in interface outside

Hope that I could help

Julio Carvajal

Advanced Security Trainer

Allow Traceroute through ASA

rkusak — Thu, 28 Mar 2013 19:47:58 GMT

I have the same issue on a 5545 running 9.1. I followed the steps outlined here, but it doesn't work. I've succesfully done this before on older ASA's running 8.x code, so I know it works. The ACL on the outside interface is there, ICMP inspection is turned on, but traceroutes from inside to outside show "Request timed out". Any ideas?

Thanks.

Allow Traceroute through ASA

Justin Westover — Thu, 28 Mar 2013 19:50:20 GMT

Yeah I still have the same problem. I can't figure it out. I have ICMP fixup on (inspection) and the proper ACLs but still I only get a "request timed out"

Allow Traceroute through ASA

Julio Carvajal — Thu, 28 Mar 2013 19:56:52 GMT

Hello Justin,

I will need to see the configuration as it does not make sense, it should work

Regards

Allow Traceroute through ASA

Justin Westover — Thu, 28 Mar 2013 20:00:59 GMT

Alright, i'll post the ACLs and the policy-map that shows the inspections later today/tonight.

Allow Traceroute through ASA

tarek issa — Wed, 29 Jan 2014 11:06:53 GMT

Any Update regarding this ??

I am having same issue with ASA v 9.1(2)

Re: Allow Traceroute through ASA

Justin Westover — Wed, 29 Jan 2014 12:21:46 GMT

Sorry, no update. This was for a customer and they decided they didn't want this feature enabled. I haven't ran across this issue since then. Definitely keep pushing to get an answer as I am sure I will eventually run across this again.

Sent from Cisco Technical Support iPhone App

Has anyone found a solution

k.aumell — Tue, 11 Mar 2014 12:33:02 GMT

Has anyone found a solution to this? I've tried a number of things found in the forums, and none seem to work.

Any help is greatly appreciated.

There are two requirements to

Joe Doran — Thu, 27 Mar 2014 20:45:48 GMT

There are two requirements to get ICMP based traceroute to work:

* Inspect ICMP from the inside heading out.

* Allow ICMP time-exceeded inbound from outside.

Missing either requirement will cause traceroute to fail as seen from an internal host. So as an example:

access-list OUTSIDE_INGRESS remark *** ALLOW ICMP BASED TRACEROUTE ***
access-list OUTSIDE_INGRESS extended permit icmp any any time-exceeded

access-group OUTSIDE_INGRESS in interface Outside

class-map inside-inspection
match default-inspection-traffic

policy-map inside-policy
class inside-inspection
inspect icmp

service-policy inside-policy interface Inside

These are just the relevant pieces of a working firewall config. If you are using the global service-policy and inspecting icmp, then you don't need to worry about any of the class-map, policy-map, or service-policy configuraton in my example above.

Regards,

Joe Doran

Thank you Doran, you saved my

tsvetani90 — Mon, 31 Mar 2014 13:34:13 GMT

Thank you Doran, you saved my day.

I was running ASA 5510 v9.1 and I was experiencing the same problem. I was not able to traceroute from the internal LAN interface. I have already done the second requirement:

* Allow ICMP time-exceeded inbound from outside.

And I was wondering what is happening? So when I saw your post I checked the first requirement and it appears that I have not defined an inspect rule for the outgoing ICPM traffic. So I added it and everything looks good.

Can you explain or give me a link with information why I need to inspect the ICMP traffic?

Thank you again and have a nice day!

Sure,The ICMP inspection

Joe Doran — Mon, 31 Mar 2014 13:46:22 GMT

Sure,

The ICMP inspection allows the ASA to keep track of the ICMP connections built *through* the ASA. In your case, if you only had the ACL the TTL traffic is allowed in from the outside, but the ASA did not keep track of the connection, so the traffic was still denied.

In the other case, people may have had the ICMP inspection configuration so the ASA keeps track of the ICMP connections built through the ASA, but that command only dynamically allows ICMP echo replies back in, not the TTL expired, so it gets denied again in this scenario.

You need both pieces for the ICMP based traceroute so that you are allowed time expired traffic in, but you need the ASA also to know the details of the ICMP connection through the ASA.

I hope that helps. We can get much more detailed but I don't have time at the moment.

Wonderful !Thank you for the

tsvetani90 — Mon, 31 Mar 2014 13:57:17 GMT

Wonderful !
Thank you for the explanation.

Hi, I tried but it is not

rparrat666 — Thu, 21 Aug 2014 18:53:20 GMT

Hi, I tried but it is not working 😞

Please any help

access-list outside _in extended permit icmp any any time-exceeded
access-list outside _in extended permit icmp any any unreachable
access-list outside _in extended permit icmp any any traceroute

outside _in in interface outside

class-map inspection_default
match default-inspection-traffic

policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
inspect ftp
class class-default
set connection decrement-ttl

When trying I got this:

CORE_4500#traceroute 4.2.2.2
Type escape sequence to abort.
Tracing the route to 4.2.2.2
1 10.110.0.252 0 msec 0 msec 0 msec
2 4.2.2.2 4 msec 0 msec 0 msec
3 4.2.2.2 4 msec 0 msec 4 msec
4 4.2.2.2 20 msec 24 msec 20 msec
5 4.2.2.2 28 msec 24 msec 24 msec
6 4.2.2.2 24 msec 20 msec 24 msec
7 4.2.2.2 28 msec 28 msec 24 msec
8 4.2.2.2 24 msec 24 msec 24 msec
9 4.2.2.2 36 msec 32 msec 32 msec
10 * 32 msec 28 msec
11 * * *
12 4.2.2.2 36 msec 32 msec 36 msec
13 4.2.2.2 32 msec 36 msec 36 msec
14 4.2.2.2 36 msec 36 msec 36 msec

Its shows same IP for all hops

You have a routing issue.

Joe Doran — Thu, 21 Aug 2014 18:55:43 GMT

You have a routing issue. Traceroute is working.

Nop, I was missing inspect

rparrat666 — Thu, 21 Aug 2014 18:57:18 GMT

Nop, I was missing inspect icmp error

Hi, I solved it, I was

rparrat666 — Thu, 21 Aug 2014 18:59:29 GMT

Hi, I solved it, I was missing "inspect icmp error" on class inspection_default, by the way, confighuring:

icmp unreachable rate-limit 10 burst-size 5

and

class class-default
set connection decrement-ttl

Will show the asa as a hop

This works fine for getting

gchevalley — Fri, 29 Aug 2014 13:53:06 GMT

This works fine for getting trace route to show when tracing traffic from the inside interface to the outside interface but what about DMZ interfaces?

I have several firewalls some of which have several DMZ area's hanging off them. Some of these firewalls have an outside connection and some do not. It would be very beneficial for traceroute to show the firewall in its output. I have added a class default and set connection decrement-ttl which worked when tracing internet bound traffic but not DMZ bound traffic. When trying to trace DMZ bound traffic I'm not seeing anything getting denied and have ACL statements to allow echo, echo-reply, time-exceeded, and unreachables. Does anyone know if it's possible to get the firewall to show when tracing traffic destined to a DMZ and not the outside?

H:\>tracert 8.8.8.8

Tracing route to 8.8.8.8 over a maximum of 30 hops

1     3 ms     1 ms     1 ms 10.1.1.254
2     2 ms     1 ms     1 ms 10.20.0.1       <- Firewall inside ip
3     3 ms     1 ms     1 ms 1*.***.***.**2
4    ^C

C:\>tracert 10.10.10.5

Tracing route to 10.10.10.5
over a maximum of 30 hops:

1     2 ms     1 ms     1 ms 10.1.1.254
2     *        *        *     Request timed out.    <-  firewall doesn't show
3     2 ms     1 ms     1 ms 10.10.10.5

Firewall:

icmp unreachable rate-limit 10 burst-size 5
icmp permit any time-exceeded outside
icmp permit any unreachable outside
icmp permit any echo-reply outside
icmp deny any outside

access-list acl_out extended permit icmp any any unreachable
access-list acl_out extended permit icmp any any time-exceeded

access-list acl_in extended permit icmp 10.1.1.0 255.255.255.0 10.10.10.0 255.255.255.0 echo

access-list acl_in extended permit icmp 10.1.1.0 255.255.255.0 10.10.10.0 255.255.255.0 echo-reply

access-list dmz5_access_in extended permit icmp 10.10.10.0 255.255.255.0 10.1.1.0 255.255.255.0 echo-reply
access-list dmz5_access_in extended permit icmp 10.10.10.0 255.255.255.0 10.1.1.0 255.255.255.0 unreachable
access-list dmz5_access_in extended permit icmp 10.10.10.0 255.255.255.0 10.1.1.0 255.255.255.0 time-exceeded

class-map CLASS_DEFAULT
match any
class-map inspection_default
match default-inspection-traffic

policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect sunrpc
inspect xdmcp
inspect netbios
inspect dns
inspect ip-options
inspect snmp
inspect icmp
inspect tftp
class CLASS_DEFAULT
set connection decrement-ttl

This was very helpfuly.

shane.francis — Sat, 14 Nov 2015 23:59:52 GMT

This was very helpfuly.

>/Shane