Re: asa drops

bluesea2010 · ‎09-12-2019

Hi,

C:\Documents and Settings\Administrator>tracert fast.com

Tracing route to fast.com [23.50.182.181]

over a maximum of 30 hops:

1 <1 ms <1 ms <1 ms 10.0.10.1

2 <1 ms <1 ms <1 ms 172-16-10-25

3 112 ms 112 ms 112 ms 172.16.10.10

4 * * * Request timed out.

5 * * * Request timed out.

6 * * * Request timed out.

7 * * * Request timed out.

8 * * * Request timed out.

9 * * * Request timed out.

10 * * * Request timed out.

11 * * * Request timed out.

12 * * * Request timed out.

13 * * * Request timed out.

14 * * * Request timed out.

15 * * * Request timed out.

16 * * * Request timed out.

17 * * * Request timed out.

18 * * * Request timed out.

19 * * * Request timed out.

20 * * * Request timed out.

21 * * * Request timed out.

22 * * * Request timed out.

23 * * * Request timed out.

24 * * * Request timed out.

25 * * * Request timed out.

26 * * * Request timed out.

27 * * * Request timed out.

28 * * * Request timed out.

29 * * * Request timed out.

30 * * * Request timed out.

From the above traceroute third hope is the asa firewall , I cannot reach the ip 23.50.182.181 . From the above output can I assume asa drops ?

How can I verify that asa drops or not ?

Thanks

bhargavdesai · ‎09-12-2019

Generally ASA drop the traceroute packets.
If you want to check, you can try visiting the website
And if you still want you can allow with below confirmation.

Fixup protocol icmp

access-list OUTSIDE_INGRESS remark *** ALLOW ICMP BASED TRACEROUTE ***
access-list OUTSIDE_INGRESS extended permit icmp any any time-exceeded

access-group OUTSIDE_INGRESS in interface Outside

HTH

bluesea2010 · ‎09-12-2019

Hi,

I have inspect icmp in the policy map

policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect netbios
inspect tftp
inspect ip-options
inspect icmp

inspect icmp will not solve the problem ?

And traceroute requires any additional ports other than icmp ?

I mean is there any udp ports need to be opened ?

Thanks

bhargavdesai · ‎09-12-2019

inspect icmp will not solve the problem ?
Answer: It is only one part. You need to understand how traceroute work i would refer to you wiki page https://en.wikipedia.org/wiki/Traceroute

And traceroute requires any additional ports other than icmp ?
I mean is there any udp ports need to be opened ?

Answer: UDP is used by linux based system, and for that you might required to enable inspect icmp error and also additional line in Access list

access-list OUTSIDE_INGRESS extended permit icmp any any unreachable

I would say that once you go through the Wiki page, you will understand the whole idea how traceroute work.

HTH

bluesea2010 · ‎09-14-2019

Hi,

Thanks for the reply .

here is my toplogy

In the traceroute output it does not show asa , instead it show the R2'S interface ,this is normal ?

or to show asa inside interface in the traceroute what should I do ? .

Thanks

Rob Ingram · ‎09-14-2019

Hi,

By default the ASA does not appear as a hop in a traceroute, to enable:-

policy-map global_policy
 class class-default
 set connection decrement-ttl

More information here.

HTH

bhargavdesai · ‎09-14-2019

As per our expert @Rob Ingram You can enable the ASA to show in tracerout but there must be strong reason do so as it is not enable by default as part of security best practices.

HTH