topic Re: Allow traceroute on Cisco router in Network Security

Allow traceroute on Cisco router

Florin Barhala — Fri, 21 Feb 2020 15:56:09 GMT

Hi guys,

I come today with some funny/tricky ACL issue.

I have this classic setup:

- ASA (default route to the router) <----> 4000 series ISR router

- ISR router has two interfaces Gi0/0 toward ASA and Gi0/1 toward ISP

- default route is installed on ISR router from Gi0/1 with next hop: ISP_IP

- ACL is applied on Gi0/1 on the IN direction (and that's the only ACL I am using)

show run | i access-group
ip access-group BOUNDARY-IPV4-ACL in

- I want to enable ICMP traceroute from a PC behind ASA (I have taken care of ASA config) to Internet

Fun facts:

- if I remove the ACL from Gi0/1 traceroute shows as expected including ISP_IP

- with the ACL on, I see all hops but the ISP_IP

ACL config:

140 deny icmp any any fragments
180 permit icmp any any echo-reply (46782 matches)
190 permit icmp any any unreachable (536737 matches)
200 permit icmp any any time-exceeded (2770525 matches)

205 permit icmp any any traceroute
210 permit icmp any any packet-too-big
230 deny icmp any any (160680 matches)

What am I missing, guys?

Re: Allow traceroute on Cisco router

Rob Ingram — Sat, 30 Jun 2018 09:51:23 GMT

Hi Florin,
In my lab I've mirrored the ACL config you have above, but have not replicated the issue...I can still see the ISP_IP address when tracerouting. Is there any other ACE that might be relevant, TTL etc?

Perhaps running a monitor capture on the ISR with and without the ACL applied and review might shed some light?

Re: Allow traceroute on Cisco router

Florin Barhala — Sat, 30 Jun 2018 10:37:20 GMT

I always run captures when I have issues on firewalls (no matter the vendor), but I missed this for a router. I will apply an ACL for the capture on both interfaces. I am thinking for:
- permit icmp public_IP any
- permit icmp any public_IP

public_IP is the SNAT IP that "gets out" from ASA.
Thoughts?

Re: Allow traceroute on Cisco router

Rob Ingram — Sat, 30 Jun 2018 11:27:12 GMT

From my experience UDP 137 is also used when tracerouting

EDIT: Have you tried adding a temporary ACE at the top of the ACL, permitting ip host ISP_IP any log and observe the output?

Re: Allow traceroute on Cisco router

Florin Barhala — Sun, 01 Jul 2018 04:19:33 GMT

That might explain it; one thing I forgot mentioning on my ACL is the last line of it: "deny ip any any"

Re: Allow traceroute on Cisco router

Rob Ingram — Mon, 02 Jul 2018 10:22:12 GMT

Did you modify the ACL or run a packet capture and identify the issue?

Re: Allow traceroute on Cisco router

Florin Barhala — Fri, 24 Aug 2018 07:10:52 GMT

Hello,

Believe it or not that "deny ip any any" was hindering traceroute. I had allowed traffic from the NAT IP that hits the router and it works.

Thanks again RJI!