03-19-2013 05:40 PM - edited 03-11-2019 06:16 PM
Problem:
Traceroutes return all ***'s after default gateway IP until they complete. Logging onto an wireless access-point not behind the ASA has the traceroutes completing as expected with each hop showing IP and response. I am testing from a linux machine at this time. Tests from a windows machine show the same results. Traceroute examples and ASA config below. Please let me know any further information I can provide you and thanks in advance for your assistance.
[root@Xwing ~]# traceroute -I 4.2.2.2
traceroute to 4.2.2.2 (4.2.2.2), 30 hops max, 60 byte packets
1 192.168.3.1 (192.168.3.1) 2.268 ms 2.572 ms 3.178 ms
2 Darkside (192.168.2.1) 6.902 ms 7.735 ms 7.971 ms
3 162.192.96.142 (162.192.96.142) 8.699 ms 9.180 ms 9.669 ms
4 * * *
5 * * *
6 * * *
7 * * *
8 * * *
9 * * *
10 * * *
11 b.resolvers.Level3.net (4.2.2.2) 45.867 ms 46.576 ms 47.186 ms
[root@Xwing ~]# traceroute -I bbc.co.uk
traceroute to bbc.co.uk (212.58.253.67), 30 hops max, 60 byte packets
1 192.168.3.1 (192.168.3.1) 2.515 ms 2.809 ms 3.381 ms
2 Darkside (192.168.2.1) 7.362 ms 7.876 ms 8.309 ms
3 162.192.96.142 (162.192.96.142) 8.950 ms 9.556 ms 9.904 ms
4 * * *
5 * * *
6 * * *
7 * * *
8 * * *
9 * * *
10 * * *
11 * * *
12 * * *
13 * * *
14 * * *
15 * * *
16 * * *
17 * * *
18 * * *
19 www-vip.cwwtf.bbc.co.uk (212.58.253.67) 149.238 ms 149.812 ms 150.293 ms
[root@Xwing ~]#
darkside# sh run
: Saved
:
ASA Version 9.0(2)
!
hostname darkside
enable password ********** encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd ******** encrypted
names
ip local pool vpn_users 192.168.4.1-192.168.4.5 mask 255.255.255.0
!
interface Ethernet0/0
!
interface Ethernet0/1
!
interface Ethernet0/2
switchport access vlan 2
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
boot system disk0:/asa902-k8.bin
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj-192.168.2.0
subnet 192.168.2.0 255.255.255.0
object network obj-192.168.4.0
subnet 192.168.4.0 255.255.255.0
object network obj_any
subnet 0.0.0.0 0.0.0.0
access-list acl_inside extended permit ip any any
access-list Split_Tunnel_List extended permit ip 192.168.2.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list acl_outside extended permit udp any any
access-list acl_outside extended permit icmp any any traceroute
access-list acl_outside extended permit icmp any any time-exceeded
access-list acl_outside extended permit icmp any any echo
access-list acl_outside extended permit icmp any any echo-reply
access-list acl_outside extended permit icmp any any unreachable
access-list acl_outside extended permit icmp any any
access-list acl_outside extended permit tcp any any eq https
access-list nonat extended permit ip 192.168.2.0 255.255.255.0 192.168.4.0 255.255.255.0
pager lines 24
logging enable
logging timestamp
logging console alerts
logging buffered warnings
logging trap informational
logging facility 22
logging host inside 192.168.2.5
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 10 burst-size 5
icmp permit any unreachable outside
icmp permit any echo outside
icmp permit any echo-reply outside
icmp permit any time-exceeded outside
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,any) source static obj-192.168.2.0 obj-192.168.2.0 destination static obj-192.168.4.0 obj-192.168.4.0 no-proxy-arp route-lookup
!
object network obj_any
nat (inside,outside) dynamic interface
access-group acl_outside in interface outside
route inside 192.168.3.0 255.255.255.0 192.168.2.100 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication telnet console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet 192.168.3.0 255.255.255.0 inside
telnet 192.168.2.0 255.255.255.0 inside
telnet timeout 30
ssh timeout 5
console timeout 0
management-access inside
dhcpd dns 4.2.2.2 4.2.2.1
!
dhcpd address 192.168.2.100-192.168.2.131 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-3.1.02040-k9.pkg 1
anyconnect image disk0:/anyconnect-linux-3.1.02040-k9.pkg 2
anyconnect enable
tunnel-group-list enable
group-policy DfltGrpPolicy attributes
vpn-idle-timeout 28800
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split_Tunnel_List
tunnel-group vpn_users type remote-access
tunnel-group vpn_users general-attributes
address-pool vpn_users
tunnel-group vpn_users webvpn-attributes
group-alias Me enable
!
class-map class-tracert
match any
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect icmp
inspect ftp
inspect icmp error
inspect dns
class class-default
set connection decrement-ttl
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:07fb98ed98653b80e1e52af20e0762ab
: end
darkside#
03-19-2013 09:15 PM
The ASA appears on the traceroute, the rest is hidden probably because that's how the manager of the ASA's DW configured it.
Some people configure their devices to don't reply to traceroutes in order to remain "hidden".
Or maybe there is another firewall in the path and is not allowing that traffic.
Either way, your ASA is properly configured to at least appear on the trace.
03-19-2013 09:58 PM
Hello David,
Hope you are having a great day.
First of all lets set the basics:
Linux and Cisco devices will send UDP packets to a pseudorandom port to build the network map, the reply will be an UDP ICMP Port-Unreachable
Windows use ICMP messages,with a TTL of 1 and then incrementing hop by hop. the reply will be a TTL Exceeded.
So Far so good right.
So on the Scenario you are showing us we can see the traceroute working as we can reach the destination but looks like some devices responses are not reaching us.. Why is that?
Well that is because we have the ASA in place and those particular ICMP message codes are not permited by default
So let's do the following:
access-list Julio permit icmp any any eq time-exceeded
access-list Julio permit icmp any any eq unreachable
access-group Julio in interface outside
Hope that I could help
Julio Carvajal
Advanced Security Trainer
03-20-2013 04:07 AM
Jocamare,
This ASA is on my home network and sits behind my AT&T router-gateway. I can plug directly into the AT&T device and traceroutes work completely fine. They just don't work behind the ASA.
Julio,
I have the ICMP allows already in my outside interface ACL.
access-list acl_outside extended permit icmp any any traceroute
access-list acl_outside extended permit icmp any any time-exceeded
access-list acl_outside extended permit icmp any any echo
access-list acl_outside extended permit icmp any any echo-reply
access-list acl_outside extended permit icmp any any unreachable
darkside(config)# sh run access-group
access-group acl_outside in interface outside
darkside(config)#
Do you have any other ideas? I'm at a loss on my end as to why it's not working. I get 3 hops on my traceroute already with the ASA as hop 2 and the ISP's equipment as hop 3.
--Dave
03-20-2013 09:44 AM
Hello David,
Can you add this and test:
icmp unreachable rate-limit 30 burst-size 5
03-20-2013 10:08 AM
Julio,
I have added the line you requested and there was no change in my ability to traceroute.
darkside# config t
darkside(config)# icmp unreachable rate-limit 30 burst-size 5
darkside(config)#
darkside#
root@DeathStar:~# traceroute -I 4.2.2.2
traceroute to 4.2.2.2 (4.2.2.2), 30 hops max, 60 byte packets
1 Darkside (192.168.2.1) 0.702 ms 0.890 ms 0.891 ms
2 162.192.96.142 (162.192.96.142) 2.733 ms 2.878 ms *
3 * * *
4 * * *
5 * * *
6 * * *
7 * * *
8 * * *
9 * * *
10 b.resolvers.Level3.net (4.2.2.2) 61.059 ms 62.027 ms 62.031 ms
03-20-2013 10:12 AM
Hello David,
Is there a way you could capture the ICMP unreachable port messages on the outside interface to determine if the ASA is indeed receiving those packets.
Regards
03-20-2013 01:09 PM
Ok, this time looks like related to the ASA. The "they-are-hidding" theory is still valid though
From my experiences with windows, you will only need "access-list acl_outside extended permit icmp any any time-exceeded", you should even see hitcounts in that rule when doing a "show access-list acl_outside".
Have you tried to allow all ICMP?
Like, "access-list acl_outside extended permit icmp any any" ?
03-20-2013 01:31 PM
Hello Jorell,
ICMP is already enabled and we are using right now a linux machine to test,
We are waiting for the captures to determine what is going on
07-31-2013 11:45 PM
Is there any command - ip verify reverse-path in the configuration. If yes, please disable that and check. I had the same problem and after removing that, i could see the hops in the traceroute.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide