cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
87563
Views
71
Helpful
28
Replies

Allow Traceroute through ASA

Justin Westover
Level 1
Level 1

We are running version 9.1 of ASA code. I am having trouble allowing traceroute through the ASA. I don't need the ASA to be a hop in that traceroute. I have issue the fixup commands for icmp and icmp error. I have allowed ICMP, Echo, Echo Reply, time-exceeded, and unreachables. But I still can't traceroute through the ASA. If I traceroute on the ASA and source from the outside interface it works, but not from the inside interface. Looking at the logs I don't see anything indicating a problem. Ping works, just not traceroute. I have tested from both a MAC and a PC since I know that both uses different methods when performing a traceroute. Both are unable to traceroute through the ASA.

28 Replies 28

Hi, I solved it, I was missing "inspect icmp error" on  class inspection_default, by the way, confighuring:

 icmp unreachable rate-limit 10 burst-size 5

and

 class class-default
  set connection decrement-ttl

 

Will show the asa as a hop

access-list traceroute remark Allow traceroute

access-list traceroute extended permit icmp any any time-exceeded log 

access-list traceroute remark Allow traceroute

access-list traceroute extended permit icmp any any unreachable log

access-group traceroute in interface outside

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map 

  inspect ftp 

  inspect h323 h225 

  inspect h323 ras 

  inspect rsh 

  inspect rtsp 

  inspect esmtp 

  inspect sqlnet 

  inspect skinny  

  inspect sunrpc 

  inspect xdmcp 

  inspect sip  

  inspect netbios 

  inspect tftp 

  inspect ip-options 

  inspect icmp 

  inspect icmp error 

 class class-default

  user-statistics accounting

!

service-policy global_policy global

It worked perfect! Tested from Windows, MacOSX and a Cisco switch. Thank you! Had to add 'inspect icmp error' to get it to work properly.

hi Julio - 

 

So an acl with ttl-exceeded and time-exceeded match two different packets on a ASR1k.  One as a response from a MS host and the other from a Unix/Cisco host.  Both with the same reason for sending the icmp reply.

This one helped me as I was missing the access-group piece, this how my setup looks now.

access-list outside_IN extended permit icmp any any traceroute
access-list outside_IN extended permit icmp any any unreachable
access-list outside_IN extended permit icmp any any time-exceeded
...
access-group outside_IN in interface outside

...
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
class class-default
set connection decrement-ttl
...




Justin Westover
Level 1
Level 1

Sorry, no update. This was for a customer and they decided they didn't want this feature enabled. I haven't ran across this issue since then. Definitely keep pushing to get an answer as I am sure I will eventually run across this again.

Sent from Cisco Technical Support iPhone App

k.aumell
Level 1
Level 1

Has anyone found a solution to this? I've tried a number of things found in the forums, and none seem to work.

 

Any help is greatly appreciated.

Joe Doran
Level 1
Level 1

There are two requirements to get ICMP based traceroute to work:

* Inspect ICMP from the inside heading out.

* Allow ICMP time-exceeded inbound from outside.

Missing either requirement will cause traceroute to fail as seen from an internal host. So as an example:

access-list OUTSIDE_INGRESS remark *** ALLOW ICMP BASED TRACEROUTE ***
access-list OUTSIDE_INGRESS extended permit icmp any any time-exceeded

access-group OUTSIDE_INGRESS in interface Outside

class-map inside-inspection
 match default-inspection-traffic

policy-map inside-policy
 class inside-inspection
  inspect icmp

service-policy inside-policy interface Inside

 

These are just the relevant pieces of a working firewall config. If you are using the global service-policy and inspecting icmp, then you don't need to worry about any of the class-map, policy-map, or service-policy configuraton in my example above.

 

Regards,

Joe Doran

 

 

 

 

Thank you Doran, you saved my day.

I was running ASA 5510 v9.1 and I was experiencing the same problem. I was not able to traceroute from the internal LAN interface. I have already done the second requirement:

 

* Allow ICMP time-exceeded inbound from outside.

 

And I was wondering what is happening? So when I saw your post I checked the first requirement and it appears that I have not defined an inspect rule for the outgoing ICPM traffic. So I added it and everything looks good.

Can you explain or give me a link with information why I need to inspect the ICMP traffic?

 

Thank you again and have a nice day!

Sure,

The ICMP inspection allows the ASA to keep track of the ICMP connections built *through* the ASA. In your case, if you only had the ACL the TTL traffic is allowed in from the outside, but the ASA did not keep track of the connection, so the traffic was still denied.

In the other case, people may have had the ICMP inspection configuration so the ASA keeps track of the ICMP connections built through the ASA, but that command only dynamically allows ICMP echo replies back in, not the TTL expired, so it gets denied again in this scenario.

You need both pieces for the ICMP based traceroute so that you are allowed time expired traffic in, but you need the ASA also to know the details of the ICMP connection through the ASA.

I hope that helps. We can get much more detailed but I don't have time at the moment.

Wonderful !
Thank you for the explanation.

This works fine for getting trace route to show when tracing traffic from the inside interface to the outside interface but what about DMZ interfaces?

 

I have several firewalls some of which have several DMZ area's hanging off them.  Some of these firewalls have an outside connection and some do not.  It would be very beneficial for traceroute to show the firewall in its output.  I have added a class default and set connection decrement-ttl which worked when tracing internet bound traffic but not DMZ bound traffic.  When trying to trace DMZ bound traffic I'm not seeing anything getting denied and have ACL statements to allow echo, echo-reply, time-exceeded, and unreachables.  Does anyone know if it's possible to get the firewall to show when tracing traffic destined to a DMZ and not the outside?

H:\>tracert 8.8.8.8

Tracing route to 8.8.8.8 over a maximum of 30 hops

  1     3 ms     1 ms     1 ms  10.1.1.254
  2     2 ms     1 ms     1 ms  10.20.0.1       <- Firewall inside ip
  3     3 ms     1 ms     1 ms  1*.***.***.**2
  4   
^C
 

C:\>tracert 10.10.10.5

Tracing route to 10.10.10.5
over a maximum of 30 hops:

  1     2 ms     1 ms     1 ms  10.1.1.254
  2     *        *        *     Request timed out.    <-  firewall doesn't show
  3     2 ms     1 ms     1 ms  10.10.10.5

 

Firewall:

icmp unreachable rate-limit 10 burst-size 5
icmp permit any time-exceeded outside
icmp permit any unreachable outside
icmp permit any echo-reply outside
icmp deny any outside


access-list acl_out extended permit icmp any any unreachable
access-list acl_out extended permit icmp any any time-exceeded


access-list acl_in extended permit icmp 10.1.1.0 255.255.255.0 10.10.10.0 255.255.255.0 echo

access-list acl_in extended permit icmp 10.1.1.0 255.255.255.0 10.10.10.0 255.255.255.0 echo-reply

access-list dmz5_access_in extended permit icmp 10.10.10.0 255.255.255.0 10.1.1.0 255.255.255.0 echo-reply
access-list dmz5_access_in extended permit icmp 10.10.10.0 255.255.255.0 10.1.1.0 255.255.255.0 unreachable
access-list dmz5_access_in extended permit icmp 10.10.10.0 255.255.255.0 10.1.1.0 255.255.255.0 time-exceeded

class-map CLASS_DEFAULT
 match any
class-map inspection_default
 match default-inspection-traffic

policy-map global_policy
 class inspection_default
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect sunrpc
  inspect xdmcp
  inspect netbios
  inspect dns
  inspect ip-options
  inspect snmp
  inspect icmp
  inspect tftp
class CLASS_DEFAULT
  set connection decrement-ttl

 

This was very helpfuly.

>/Shane

lotfi abbas
Level 1
Level 1

i have a question ,

 

i have configured all necessary commands to allow traceroute from inside to outside

permit icmp any any unreachable

permit icmp any any time-exceeded

permit udp any any

when i tracert from windows 7 to 8.8.8.8 , i can see all hops including Firewall HOP.

when i traceroute from router and ubuntu , i can see firewall hop and all * uptill 8.8.8.8

 

whats the solution for this ,do i need to configure anything else in firewall.

what is the purpose of the below command.as i cannot see any hits  on traceroute ACL,when i traceroute from inside to outside

make new post friend it better 

MHM

Review Cisco Networking for a $25 gift card