Solved: ASA 5525 firewall Trace Route.

dheeraj_singh · ‎10-08-2013

Hi,

We are Having ASA 5525 firewall and Whenever I am performing traceroute passing through the firewall and i am not getting any hop count after firewall( Firewall IP is also not shwoing in Trace Route.

ICMP I had allowed and also configure ICMP in the Policy_Map global Policy.

PLease help me to resolve this issue.

Regards,

Dheeraj

narawat · ‎10-08-2013

Hi Dheeraj,

firewall blocks Traceroute as doesnt decrements the TTL value by default. You would need the following to enable the same:

Make the Firewall Show Up in a Traceroute in ASA/PIX

ciscoasa(config)#class-map class-default
ciscoasa(config)#match any


!--- This class-map exists by default.


ciscoasa(config)#policy-map global_policy


!--- This Policy-map exists by default.


ciscoasa(config-pmap)#class class-default


!--- Add another class-map to this policy.


ciscoasa(config-pmap-c)#set connection decrement-ttl


!--- Decrement the IP TTL field for packets traversing the firewall.
!--- By default, the TTL is not decrement hiding (somewhat) the firewall.


ciscoasa(config-pmap-c)#exit
ciscoasa(config-pmap)#exit
ciscoasa(config)#service-policy global_policy global


!--- This service-policy exists by default.

WARNING: Policy map global_policy is already configured as a service policy

ciscoasa(config)#icmp unreachable rate-limit 10 burst-size 5


!--- Adjust ICMP unreachable replies:
!--- The default is rate-limit 1 burst-size 1.
!--- The default will result in timeouts for the ASA hop:

Cheers,

Naveen

View solution in original post

narawat · ‎10-08-2013