topic Enable traceroute on ASA in Network Security

Enable traceroute on ASA

Tupe_kunal — Fri, 21 Feb 2020 13:23:51 GMT

Hi,

Below is the config on one of my ASA. However, i am unable to traceroute. What could be the issue.

access-group outside_access_in in interface OUTSIDE
access-group INSIDE in interface inside
access-group DMZ in interface DMZ

#sh run access-list outside_access_in | i icmp
access-list acronisbosrtr1_access_in extended permit icmp any any object-group DM_INLINE_ICMP_2

#sh access-list outside_access_in | i icmp
access-list outside_access_in line 1 extended permit icmp any any object-group DM_INLINE_ICMP_2 (hitcnt=4) 0xcbc18759
access-list outside_access_in line 1 extended permit icmp any any echo (hitcnt=4) 0x30be5688
access-list outside_access_in line 1 extended permit icmp any any echo-reply (hitcnt=175) 0x316fe298
access-list outside_access_in line 1 extended permit icmp any any traceroute (hitcnt=0) 0x6b47fb2a
access-list outside_access_in line 1 extended permit icmp any any unreachable (hitcnt=2) 0x30f100d2
access-list outside_access_in line 1 extended permit icmp any any time-exceeded (hitcnt=526) 0x16e6cb5d

icmp permit host 4.2.2.2 OUTSIDE
icmp deny any OUTSIDE

# sh run object-group id DM_INLINE_ICMP_2
object-group icmp-type DM_INLINE_ICMP_2
icmp-object echo
icmp-object echo-reply
icmp-object traceroute
icmp-object unreachable
icmp-object time-exceeded

policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect rsh
inspect sunrpc
inspect xdmcp
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
inspect sip
class class-default

# ping 4.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 10/12/20 ms

# traceroute 4.2.2.2

Type escape sequence to abort.
Tracing the route to 4.2.2.2

1 * * *
2 * * *
3 * * *
4 * * *
5 * * *
6 * * *
7 b.resolvers.level3.net (4.2.2.2) 20 msec * 0 msec

Where are you running the

Marvin Rhoads — Tue, 10 Feb 2015 23:58:39 GMT

Where are you running the traceroute command from? If from the ASA itself, it appears that there might be an upstream ASA not setup like yours.

Other than that, your config looks correct. You might add the bits:

asa(config)# policy-map global_policy
asa(config-pmap)# class class-default
asa(config-pmap-c)# set connection decrement-ttl

...in order to appear as the first hop for clients on the inside of your ASA going out.

Hi Marvin,Thank you for the

Tupe_kunal — Wed, 11 Feb 2015 08:30:41 GMT

Hi Marvin,

Thank you for the reply.

I am trying to traceroute 4.2.2.2 from the ASA itself.

This is a Edge device where the Internet WAN link is terminated.

Will running this command #set connection decrement-ttl on the production ASA cause kind of outage.

Regards,

Kunal Tupe

Kunal,The settings you have

Marvin Rhoads — Wed, 11 Feb 2015 13:43:44 GMT

Kunal,

The settings you have made as described above all affect a traceroute THROUGH the ASA. You problem is with traceroute FROM the ASA and thus lies in your upstream firewall.

The one additional command I suggested only serves to add the ASA itself as a visible hop from traceroute originated behind your firewall and traversing it outbound. IT will not cause an outage but will also not fix the original problem you asked about.

Hi Marvin.Thanks a ton for

Tupe_kunal — Thu, 12 Feb 2015 10:26:08 GMT

Hi Marvin.

Thanks a ton for your help.

It worked for me.

I removed and reconfigured the acl and policy map with "set connection decrement-ttl" as instructed.

Cheers !!!

Regards,

Kunal Tupe