Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5512
Views
0
Helpful
6
Replies

Allow traceroute on Cisco router

Florin Barhala
Level 6
Level 6

‎06-29-2018 11:58 PM - edited ‎02-21-2020 07:56 AM

Hi guys,

 

I come today with some funny/tricky ACL issue.

I have this classic setup:

 - ASA (default route to the router) <----> 4000 series ISR router

 - ISR router has two interfaces Gi0/0 toward ASA and Gi0/1 toward ISP

 - default route is installed on ISR router from Gi0/1 with next hop: ISP_IP

 - ACL is applied on Gi0/1 on the IN direction (and that's the only ACL I am using)

show run | i access-group
ip access-group BOUNDARY-IPV4-ACL in

 - I want to enable ICMP traceroute from a PC behind ASA (I have taken care of ASA config) to Internet

 

Fun facts:

 - if I remove the ACL from Gi0/1 traceroute shows as expected including ISP_IP

 - with the ACL on, I see all hops but the ISP_IP

 

ACL config:

140 deny icmp any any fragments
180 permit icmp any any echo-reply (46782 matches)
190 permit icmp any any unreachable (536737 matches)
200 permit icmp any any time-exceeded (2770525 matches)

205 permit icmp any any traceroute
210 permit icmp any any packet-too-big
230 deny icmp any any (160680 matches)

 

What am I missing, guys?

Labels:
0 Helpful
6 Replies 6

Rob Ingram
VIP
VIP

‎06-30-2018 02:51 AM

Hi Florin,
In my lab I've mirrored the ACL config you have above, but have not replicated the issue...I can still see the ISP_IP address when tracerouting. Is there any other ACE that might be relevant, TTL etc?

Perhaps running a monitor capture on the ISR with and without the ACL applied and review might shed some light?
0 Helpful

Florin Barhala
Level 6
Level 6
In response to Rob Ingram

‎06-30-2018 03:37 AM

I always run captures when I have issues on firewalls (no matter the vendor), but I missed this for a router. I will apply an ACL for the capture on both interfaces. I am thinking for:
- permit icmp public_IP any
- permit icmp any public_IP

public_IP is the SNAT IP that "gets out" from ASA.
Thoughts?
0 Helpful

Rob Ingram
VIP
VIP
In response to Florin Barhala

‎06-30-2018 04:04 AM - edited ‎06-30-2018 04:27 AM

From my experience UDP 137 is also used when tracerouting

 

EDIT: Have you tried adding a temporary ACE at the top of the ACL, permitting ip host ISP_IP any log and observe the output?

0 Helpful

Florin Barhala
Level 6
Level 6
In response to Rob Ingram

‎06-30-2018 09:19 PM

That might explain it; one thing I forgot mentioning on my ACL is the last line of it: "deny ip any any"
0 Helpful

Rob Ingram
VIP
VIP
In response to Florin Barhala

‎07-02-2018 03:22 AM

Did you modify the ACL or run a packet capture and identify the issue?
0 Helpful

Florin Barhala
Level 6
Level 6
In response to Rob Ingram

‎08-24-2018 12:10 AM

Hello,

 

Believe it or not that "deny ip any any" was hindering traceroute. I had allowed traffic from the NAT IP that hits the router and it works.

 

Thanks again RJI!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card