Solved: Re: Asa 5505 - Traceroute

benedict.sikat · ‎01-16-2011

Hi ,

We just bought a Cisco ASA 5505 (asa 8.3 asdm 6.3 ). The tracert from a user PC to an outside public IP is not working. I cannot see the hops in between. I have read in the forums than you need to enable the inspect icmp and inspect icmp error. I have done both but my tracert from a PC looks like this ..

C:\Documents and Settings\benedict.sikat>tracert 203.126.222.6

Tracing route to 203.126.222.6 over a maximum of 30 hops

1     *        *        *     Request timed out.
2     *        *        *     Request timed out.
3     *        *        *     Request timed out.
4     *        *        *     Request timed out.
5     *        *        *     Request timed out.
6     *        *        *     Request timed out.
7     *        *        *     Request timed out.
8     *        *        *     Request timed out.
9    47 ms    46 ms    46 ms 203.126.222.6

Trace complete.

Here is the config of my firewall

ciscoasa# sh run
: Saved
:
ASA Version 8.3(1)
!
hostname ciscoasa
enable password dlaAQhgxyhqovjep encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.30.191 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 116.12.158.227 255.255.255.240
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone SGT 8
object network obj_any
subnet 0.0.0.0 0.0.0.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source dynamic any interface
!
object network obj_any
nat (inside,outside) dynamic interface
route outside 0.0.0.0 0.0.0.0 116.12.158.225 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.30.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 192.168.30.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!

threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
no threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 129.6.15.28 source outside prefer
webvpn
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
inspect icmp error
!
service-policy global_policy global
prompt hostname context
hpm topN enable
Cryptochecksum:16a1bbf116910c20036301b384efebc3
: end
ciscoasa#

Kureli Sankar · ‎01-16-2011

Federico,

Great job explaining.

In addition to inspect icmp and inspect icmp error, you also nee the following allowed on the outside ACL. Correct?

policy-map global_policy

class inspection_default

.

.
inspect icmp
inspect icmp error

access-list Outside_In extended permit icmp any any unreachable
access-list Outside_In extended permit icmp any any time-exceeded

http://packetu.com/content/view/50/

-KS

View solution in original post

Federico Coto Fajardo · ‎01-16-2011

Hi,

One way to do it was using the ACL:

access-list Outside_In extended permit icmp any any unreachable
access-list Outside_In extended permit icmp any any time-exceeded
access-list Outside_In extended permit icmp any any echo-reply

Now... it's definitely preferred to use the inspect ICMP/ICMP error that you mentioned.

Just keep in mind that on Linux Systems, traceroute uses UDP packet. The first packet is addressed to udp 33435 and each another packet will is addressed to an incremented port number. so second is 33436 etc...
. So you need permit UDP>33436 (in case you're using Linux).

But on Windows, traceroute is implemented by sending ICMP Echo packets..So you need permit ICMP echo packet

If you want linux to behave like windows then use the -I flag "Use ICMP ECHO instead of UDP datagrams."

Hope it helps.

Federico.

Kureli Sankar · ‎01-16-2011

Federico,

Great job explaining.

In addition to inspect icmp and inspect icmp error, you also nee the following allowed on the outside ACL. Correct?

policy-map global_policy

class inspection_default

.

.
inspect icmp
inspect icmp error

access-list Outside_In extended permit icmp any any unreachable
access-list Outside_In extended permit icmp any any time-exceeded

http://packetu.com/content/view/50/

-KS

benedict.sikat · ‎01-23-2011

Thanks to both Federico Coto Fajardo and Poonguzhali Sankar for the answers. Poonguzhali Sankar gave the more accurate solution.

Solution,

- Even though I have already the following, I am only able to see the first and last hop of the traceroute.

class inspection_default

inspect icmp

inspect icmp error

- As Sankar mentioned, the follwing access list has to be added

access-list Outside_In extended permit icmp any any unreachable
access-list Outside_In extended permit icmp any any time-exceeded

- Attach the access-list to the Outside interface

access-group Outside_In in interface outside

- As shown on the link provided by Sankar, http://packetu.com/content/view/50/ , the follwing extras are needed

- To see your ASA interface included in the result of the traceroute, add the following

policy-map global_policy

class class-default

set connection decrement-ttl

- Add the following to eliminate the * in the result of the traceroute as it passes through your ASA interface

icmp unreachable rate-limit 10 burst-size 5