I have this "common scenario" where ASA drops traceroute traffic.
C:\Windows\system32>tracert -d 10.22.10.63
Tracing route to 10.22.10.63 over a maximum of 30 hops
1 <1 ms <1 ms <1 ms 10.22.20.254
2 2 ms 2 ms 2 ms 10.22.25.4
3 * * * Request timed out.
4 1 ms 1 ms 1 ms 10.22.10.63
Obviously the * is on outside ASA interface. Here's the related config:
1. Capture on ASA for dropped traffic
capture cap4 type asp-drop acl-drop [Capturing - 774 bytes]
match icmp any any
4: 10:37:09.632840 10.22.1.62 > 10.22.20.1: icmp: time exceeded in-transit Drop-reason: (acl-drop) Flow is denied by configured rule
5: 10:37:13.346493 10.22.1.62 > 10.22.20.1: icmp: time exceeded in-transit Drop-reason: (acl-drop) Flow is denied by configured rule
6: 10:37:17.346966 10.22.1.62 > 10.22.20.1: icmp: time exceeded in-transit Drop-reason: (acl-drop) Flow is denied by configured rule
2. Interface config and acl-applied
show ip | i 10.22.1.62
Port-channel1.90 outside 10.22.1.62 255.255.255.240 CONFIG
access-group outside_in in interface outside
3. ACL config
sa outside_in | i icmp
access-list outside_in line 10 extended permit icmp any4 any4 log disable (hitcnt=20821163) 0xb47d85da
access-list outside_in line 12 extended permit icmp any4 any4 time-exceeded (hitcnt=0) 0xa0979724
4. ASA ICMP config
show run icmp
icmp unreachable rate-limit 10 burst-size 5
show run policy-map | i icmp
inspect icmp error
Any idea is welcome!
By default an ASA won't decrement the icmp ttl used by traceroute even if ICMP is otherwise allowed and inspected.
To get the full functionality including the ASA reporting its interface address in the path, you need to add a line to class-default as follows:
ciscoasa(config)# policy-map global_policy ciscoasa(config-pmap)# class class-default ciscoasa(config-pmap-c)# set connection decrement-ttl
Thank you guys, but this is not about ASA showing up.
On my original post I mentioned those * * * from traceroute are on the ASA.
There's also the asp-drop acl-drop capture I also shared on the ASA. So the issue is that ASA drops the traceroute...
The decrement-ttl will fix the * * * entries assuming everything else is configured correctly.
Your original post shows the ACL entry permitting icmp inbound is currently disabled:
access-list outside_in line 10 extended permit icmp any4 any4 log disable
Marvin, I have to disagree: decrement-ttl is present, had it not been present then those * * * should not show up as ASA IP will not be shown. Anyway here's the config:
show run policy-map
policy-map type inspect dns preset_dns_map
message-length maximum client auto
message-length maximum 512
inspect dns preset_dns_map
inspect icmp error
flow-export event-type all destination 10.22.10.63
set connection decrement-ttl
As for the ACL, the ACE is on aka ENABLED; it's only logging that's disabled.
"time exceeded in-transit Drop-reason: (acl-drop) Flow is denied by configured rule"
As per this document:-
Thanks for the headsup! Ahead of rule 10 there're only Allow rules; I moved it as rule no1&2 and I got the same output.
Review other causes: