Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
894
Views
0
Helpful
2
Replies

ASA, NAT, ICMP Error Inspection, and Traceroute

Luke Robertson
Level 1
Level 1

‎11-06-2016 08:37 PM - edited ‎03-12-2019 01:29 AM

Hi,

I have an ASA on the edge of my network. When I traceroute from an outside host to an inside host, the last few hops all appear as the NAT IP for the inside host.

I have turned on ICMP inspection and ICMP error inspection.

I was able to replicate the conditions in VIRL. I have found that the cause of this issue is when I enable port-overloading. We use port overloading for web access, which covers anything that doesn't have a more specific NAT rule applied. We use config something like this:

nat (inside,outside) after-auto source dynamic any Overload-IP

The thing that I can't understand is this; Why does the router between the ASA and the inside host use the NAT IP of the inside host, and not the IP from the port-overload?

Also, is there a way to fix this behaviour? I thought about a NAT exemption rule at the top of the list, but I don't think I can create an exemption for just ICMP traffic.

Any ideas?

Thanks

Labels:
0 Helpful
2 Replies 2

Luke Robertson
Level 1
Level 1

‎11-07-2016 05:46 PM

I have had a look at this document:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa90/configuration/guide/asa_90_cli_config/inspect_basic.html#pgfId-1541261

From here I can see that normally (without icmp error inspection), the ASA will translate the error packet based on the destination IP of the packet that caused the error. It gets this information from the ICMP payload.

Turning on icmp error inspection allows the ASA to rewrite this IP with the real IP of the device that's sending the error. That's why the traceroute looks right after enabling error inspection.

However, config like this:

nat (inside,outside) after-auto source dynamic any Overload

seems to override this behaviour, and prevent the ASA from rewriting the ICMP error with the real IP.

Does anyone know why?

Here is part of the packet tracer result for an ICMP time-exceeded error coming from the inside:

Phase: 3
Type: NAT
Subtype: 
Result: ALLOW
Config:
nat (inside,outside) after-auto source dynamic any Overload
Additional Information:
Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,outside) after-auto source dynamic any Overload
Additional Information:

0 Helpful

Luke Robertson
Level 1
Level 1
In response to Luke Robertson

‎11-16-2016 04:00 PM

This has been logged as bug CSCvc12093

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card