ASA 5505 Traceroute Problem

dbeidleii · ‎03-19-2013

Problem:

Traceroutes return all ***'s after default gateway IP until they complete. Logging onto an wireless access-point not behind the ASA has the traceroutes completing as expected with each hop showing IP and response. I am testing from a linux machine at this time. Tests from a windows machine show the same results. Traceroute examples and ASA config below. Please let me know any further information I can provide you and thanks in advance for your assistance.

[root@Xwing ~]# traceroute -I 4.2.2.2

traceroute to 4.2.2.2 (4.2.2.2), 30 hops max, 60 byte packets

1 192.168.3.1 (192.168.3.1) 2.268 ms 2.572 ms 3.178 ms

2 Darkside (192.168.2.1) 6.902 ms 7.735 ms 7.971 ms

3 162.192.96.142 (162.192.96.142) 8.699 ms 9.180 ms 9.669 ms

4 * * *

5 * * *

6 * * *

7 * * *

8 * * *

9 * * *

10 * * *

11 b.resolvers.Level3.net (4.2.2.2) 45.867 ms 46.576 ms 47.186 ms

[root@Xwing ~]# traceroute -I bbc.co.uk

traceroute to bbc.co.uk (212.58.253.67), 30 hops max, 60 byte packets

1 192.168.3.1 (192.168.3.1) 2.515 ms 2.809 ms 3.381 ms

2 Darkside (192.168.2.1) 7.362 ms 7.876 ms 8.309 ms

3 162.192.96.142 (162.192.96.142) 8.950 ms 9.556 ms 9.904 ms

4 * * *

5 * * *

6 * * *

7 * * *

8 * * *

9 * * *

10 * * *

11 * * *

12 * * *

13 * * *

14 * * *

15 * * *

16 * * *

17 * * *

18 * * *

19 www-vip.cwwtf.bbc.co.uk (212.58.253.67) 149.238 ms 149.812 ms 150.293 ms

[root@Xwing ~]#

darkside# sh run

: Saved

:

ASA Version 9.0(2)

!

hostname darkside

enable password ********** encrypted

xlate per-session deny tcp any4 any4

xlate per-session deny tcp any4 any6

xlate per-session deny tcp any6 any4

xlate per-session deny tcp any6 any6

xlate per-session deny udp any4 any4 eq domain

xlate per-session deny udp any4 any6 eq domain

xlate per-session deny udp any6 any4 eq domain

xlate per-session deny udp any6 any6 eq domain

passwd ******** encrypted

names

ip local pool vpn_users 192.168.4.1-192.168.4.5 mask 255.255.255.0

!

interface Ethernet0/0

!

interface Ethernet0/1

!

interface Ethernet0/2

switchport access vlan 2

!

interface Ethernet0/3

shutdown

!

interface Ethernet0/4

shutdown

!

interface Ethernet0/5

shutdown

!

interface Ethernet0/6

shutdown

!

interface Ethernet0/7

shutdown

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.2.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

!

boot system disk0:/asa902-k8.bin

ftp mode passive

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network obj-192.168.2.0

subnet 192.168.2.0 255.255.255.0

object network obj-192.168.4.0

subnet 192.168.4.0 255.255.255.0

object network obj_any

subnet 0.0.0.0 0.0.0.0

access-list acl_inside extended permit ip any any

access-list Split_Tunnel_List extended permit ip 192.168.2.0 255.255.255.0 192.168.4.0 255.255.255.0

access-list acl_outside extended permit udp any any

access-list acl_outside extended permit icmp any any traceroute

access-list acl_outside extended permit icmp any any time-exceeded

access-list acl_outside extended permit icmp any any echo

access-list acl_outside extended permit icmp any any echo-reply

access-list acl_outside extended permit icmp any any unreachable

access-list acl_outside extended permit icmp any any

access-list acl_outside extended permit tcp any any eq https

access-list nonat extended permit ip 192.168.2.0 255.255.255.0 192.168.4.0 255.255.255.0

pager lines 24

logging enable

logging timestamp

logging console alerts

logging buffered warnings

logging trap informational

logging facility 22

logging host inside 192.168.2.5

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 10 burst-size 5

icmp permit any unreachable outside

icmp permit any echo outside

icmp permit any echo-reply outside

icmp permit any time-exceeded outside

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

nat (inside,any) source static obj-192.168.2.0 obj-192.168.2.0 destination static obj-192.168.4.0 obj-192.168.4.0 no-proxy-arp route-lookup

!

object network obj_any

nat (inside,outside) dynamic interface

access-group acl_outside in interface outside

route inside 192.168.3.0 255.255.255.0 192.168.2.100 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication telnet console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association pmtu-aging infinite

crypto ca trustpool policy

telnet 192.168.3.0 255.255.255.0 inside

telnet 192.168.2.0 255.255.255.0 inside

telnet timeout 30

ssh timeout 5

console timeout 0

management-access inside

dhcpd dns 4.2.2.2 4.2.2.1

!

dhcpd address 192.168.2.100-192.168.2.131 inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

enable outside

anyconnect image disk0:/anyconnect-win-3.1.02040-k9.pkg 1

anyconnect image disk0:/anyconnect-linux-3.1.02040-k9.pkg 2

anyconnect enable

tunnel-group-list enable

group-policy DfltGrpPolicy attributes

vpn-idle-timeout 28800

vpn-tunnel-protocol ssl-client

split-tunnel-policy tunnelspecified

split-tunnel-network-list value Split_Tunnel_List

tunnel-group vpn_users type remote-access

tunnel-group vpn_users general-attributes

address-pool vpn_users

tunnel-group vpn_users webvpn-attributes

group-alias Me enable

!

class-map class-tracert

match any

class-map inspection_default

match default-inspection-traffic

!

policy-map global_policy

class inspection_default

inspect icmp

inspect ftp

inspect icmp error

inspect dns

class class-default

set connection decrement-ttl

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:07fb98ed98653b80e1e52af20e0762ab

: end

darkside#

jocamare · ‎03-19-2013

The ASA appears on the traceroute, the rest is hidden probably because that's how the manager of the ASA's DW configured it.

Some people configure their devices to don't reply to traceroutes in order to remain "hidden".

Or maybe there is another firewall in the path and is not allowing that traffic.

Either way, your ASA is properly configured to at least appear on the trace.

Julio Carvajal · ‎03-19-2013

Hello David,

Hope you are having a great day.

First of all lets set the basics:

Linux and Cisco devices will send UDP packets to a pseudorandom port to build the network map, the reply will be an UDP ICMP Port-Unreachable

Windows use ICMP messages,with a TTL of 1 and then incrementing hop by hop. the reply will be a TTL Exceeded.

So Far so good right.

So on the Scenario you are showing us we can see the traceroute working as we can reach the destination but looks like some devices responses are not reaching us.. Why is that?

Well that is because we have the ASA in place and those particular ICMP message codes are not permited by default

So let's do the following:

access-list Julio permit icmp any any eq time-exceeded

access-list Julio permit icmp any any eq unreachable

access-group Julio in interface outside

Hope that I could help

Julio Carvajal

Advanced Security Trainer

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

dbeidleii · ‎03-20-2013

Jocamare,

This ASA is on my home network and sits behind my AT&T router-gateway. I can plug directly into the AT&T device and traceroutes work completely fine. They just don't work behind the ASA.

Julio,

I have the ICMP allows already in my outside interface ACL.

access-list acl_outside extended permit icmp any any traceroute

access-list acl_outside extended permit icmp any any time-exceeded

access-list acl_outside extended permit icmp any any echo

access-list acl_outside extended permit icmp any any echo-reply

access-list acl_outside extended permit icmp any any unreachable

darkside(config)# sh run access-group

access-group acl_outside in interface outside

darkside(config)#

Do you have any other ideas? I'm at a loss on my end as to why it's not working. I get 3 hops on my traceroute already with the ASA as hop 2 and the ISP's equipment as hop 3.

--Dave

Julio Carvajal · ‎03-20-2013

Hello David,

Can you add this and test:

icmp unreachable rate-limit 30 burst-size 5

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

dbeidleii · ‎03-20-2013

Julio,

I have added the line you requested and there was no change in my ability to traceroute.

darkside# config t

darkside(config)# icmp unreachable rate-limit 30 burst-size 5

darkside(config)#

darkside#

root@DeathStar:~# traceroute -I 4.2.2.2

traceroute to 4.2.2.2 (4.2.2.2), 30 hops max, 60 byte packets

1 Darkside (192.168.2.1) 0.702 ms 0.890 ms 0.891 ms

2 162.192.96.142 (162.192.96.142) 2.733 ms 2.878 ms *

3 * * *

4 * * *

5 * * *

6 * * *

7 * * *

8 * * *

9 * * *

10 b.resolvers.Level3.net (4.2.2.2) 61.059 ms 62.027 ms 62.031 ms

Julio Carvajal · ‎03-20-2013

Hello David,

Is there a way you could capture the ICMP unreachable port messages on the outside interface to determine if the ASA is indeed receiving those packets.

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

jocamare · ‎03-20-2013

Ok, this time looks like related to the ASA. The "they-are-hidding" theory is still valid though

From my experiences with windows, you will only need "access-list acl_outside extended permit icmp any any time-exceeded", you should even see hitcounts in that rule when doing a "show access-list acl_outside".

Have you tried to allow all ICMP?

Like, "access-list acl_outside extended permit icmp any any" ?

Julio Carvajal · ‎03-20-2013

Hello Jorell,

ICMP is already enabled and we are using right now a linux machine to test,

We are waiting for the captures to determine what is going on

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

nagammai.shanmugham · ‎07-31-2013

Is there any command - ip verify reverse-path in the configuration. If yes, please disable that and check. I had the same problem and after removing that, i could see the hops in the traceroute.