07-12-2019 09:04 AM - edited 02-21-2020 09:18 AM
I was running a TraceRoute to a remote server that goes through our new ASA5516x Firewalls, via a Private link to our Partner site, I know it is at least 5 hops in to reach this server, as we just migrated from our older 55xx EOL Firewalls, and could reach these servers. However, it appears that our ASA5516 is acting as a Proxy for the server, so I cannot "see" into the Partner network to assure the path is valid.
What configuration option do I need to change to stop the ASA5516 from responding for the remote servers/sites?
Z:\>tracert xxxx.xxxx.xx.site
Tracing route to xxxx.xxxx.xx.site [xx.xx.xx.37]
over a maximum of 30 hops:
1 1 ms <1 ms <1 ms 1xx.x.x.1 <-- Core Router
2 <1 ms <1 ms <1 ms xxxx.xxxx.xx.site [xx.xx.xx.37] <--ASA5516 firewall
3 * * * Request timed out. <--same response to 30 hops
4 ^C
Z:\>
07-12-2019 09:11 AM
Hi,
To permit return ICMP traffic to be permitted modify your ACL
access-list OUTSIDE_IN extended permit icmp any any time-exceeded
access-list OUTSIDE_IN extended permit icmp any any unreachable
To make the ASA appear as a hop in the traceroute you would need to decrement the ttl.
policy-map global_policy
class class-default
set connection decrement-ttl
Here is a guide for you with more information.
HTH
07-12-2019 09:19 AM
Thank you, but as we "Trust" the partner network, we already allow all ICMP from their networks back through our firewall.
The issue isn't return traffic, but the ASA responding FOR the Remote servers. (It shows valid Response and the "END Server" DNS resolution and IP on the Firewall Traceroute hop (second hop, not the 5th/6th hop where the Server actually resides!)).
I need to find how to make the firewall NOT proxy the end-response traceroute destination...
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide