cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


1152
Views
0
Helpful
6
Replies
Frequent Contributor

Allow traceroute on Cisco router

Hi guys,

 

I come today with some funny/tricky ACL issue.

I have this classic setup:

 - ASA (default route to the router) <----> 4000 series ISR router

 - ISR router has two interfaces Gi0/0 toward ASA and Gi0/1 toward ISP

 - default route is installed on ISR router from Gi0/1 with next hop: ISP_IP

 - ACL is applied on Gi0/1 on the IN direction (and that's the only ACL I am using)

show run | i access-group
ip access-group BOUNDARY-IPV4-ACL in

 - I want to enable ICMP traceroute from a PC behind ASA (I have taken care of ASA config) to Internet

 

Fun facts:

 - if I remove the ACL from Gi0/1 traceroute shows as expected including ISP_IP

 - with the ACL on, I see all hops but the ISP_IP

 

ACL config:

140 deny icmp any any fragments
180 permit icmp any any echo-reply (46782 matches)
190 permit icmp any any unreachable (536737 matches)
200 permit icmp any any time-exceeded (2770525 matches)

205 permit icmp any any traceroute
210 permit icmp any any packet-too-big
230 deny icmp any any (160680 matches)

 

What am I missing, guys?

6 REPLIES 6
VIP Advocate RJI VIP Advocate
VIP Advocate

Re: Allow traceroute on Cisco router

Hi Florin,
In my lab I've mirrored the ACL config you have above, but have not replicated the issue...I can still see the ISP_IP address when tracerouting. Is there any other ACE that might be relevant, TTL etc?

Perhaps running a monitor capture on the ISR with and without the ACL applied and review might shed some light?
Highlighted
Frequent Contributor

Re: Allow traceroute on Cisco router

I always run captures when I have issues on firewalls (no matter the vendor), but I missed this for a router. I will apply an ACL for the capture on both interfaces. I am thinking for:
- permit icmp public_IP any
- permit icmp any public_IP

public_IP is the SNAT IP that "gets out" from ASA.
Thoughts?
VIP Advocate RJI VIP Advocate
VIP Advocate

Re: Allow traceroute on Cisco router

From my experience UDP 137 is also used when tracerouting

 

EDIT: Have you tried adding a temporary ACE at the top of the ACL, permitting ip host ISP_IP any log and observe the output?

Frequent Contributor

Re: Allow traceroute on Cisco router

That might explain it; one thing I forgot mentioning on my ACL is the last line of it: "deny ip any any"
VIP Advocate RJI VIP Advocate
VIP Advocate

Re: Allow traceroute on Cisco router

Did you modify the ACL or run a packet capture and identify the issue?
Frequent Contributor

Re: Allow traceroute on Cisco router

Hello,

 

Believe it or not that "deny ip any any" was hindering traceroute. I had allowed traffic from the NAT IP that hits the router and it works.

 

Thanks again RJI!