ā10-08-2013 07:18 AM - edited ā03-11-2019 07:48 PM
Hi,
We are Having ASA 5525 firewall and Whenever I am performing traceroute passing through the firewall and i am not getting any hop count after firewall( Firewall IP is also not shwoing in Trace Route.
ICMP I had allowed and also configure ICMP in the Policy_Map global Policy.
PLease help me to resolve this issue.
Regards,
Dheeraj
Solved! Go to Solution.
ā10-08-2013 07:33 AM
Hi Dheeraj,
firewall blocks Traceroute as doesnt decrements the TTL value by default. You would need the following to enable the same:
ciscoasa(config)#class-map class-default ciscoasa(config)#match any !--- This class-map exists by default. ciscoasa(config)#policy-map global_policy !--- This Policy-map exists by default. ciscoasa(config-pmap)#class class-default !--- Add another class-map to this policy. ciscoasa(config-pmap-c)#set connection decrement-ttl !--- Decrement the IP TTL field for packets traversing the firewall. !--- By default, the TTL is not decrement hiding (somewhat) the firewall. ciscoasa(config-pmap-c)#exit ciscoasa(config-pmap)#exit ciscoasa(config)#service-policy global_policy global !--- This service-policy exists by default. WARNING: Policy map global_policy is already configured as a service policy ciscoasa(config)#icmp unreachable rate-limit 10 burst-size 5 !--- Adjust ICMP unreachable replies: !--- The default is rate-limit 1 burst-size 1. !--- The default will result in timeouts for the ASA hop:
Cheers,
Naveen
ā10-08-2013 07:33 AM
Hi Dheeraj,
firewall blocks Traceroute as doesnt decrements the TTL value by default. You would need the following to enable the same:
ciscoasa(config)#class-map class-default ciscoasa(config)#match any !--- This class-map exists by default. ciscoasa(config)#policy-map global_policy !--- This Policy-map exists by default. ciscoasa(config-pmap)#class class-default !--- Add another class-map to this policy. ciscoasa(config-pmap-c)#set connection decrement-ttl !--- Decrement the IP TTL field for packets traversing the firewall. !--- By default, the TTL is not decrement hiding (somewhat) the firewall. ciscoasa(config-pmap-c)#exit ciscoasa(config-pmap)#exit ciscoasa(config)#service-policy global_policy global !--- This service-policy exists by default. WARNING: Policy map global_policy is already configured as a service policy ciscoasa(config)#icmp unreachable rate-limit 10 burst-size 5 !--- Adjust ICMP unreachable replies: !--- The default is rate-limit 1 burst-size 1. !--- The default will result in timeouts for the ASA hop:
Cheers,
Naveen
ā10-09-2013 12:12 AM
Hi Naveen,
Problem resolved now.
Thanks for your response.
Regards,
Dheeraj
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide