cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1783
Views
0
Helpful
2
Replies

ASA5516 responds for a Trace Route to remote server

rsmith
Level 3
Level 3

I was running a TraceRoute to a remote server that goes through our new ASA5516x Firewalls, via a Private link to our Partner site, I know it is at least 5 hops in to reach this server, as we just migrated from our older 55xx EOL Firewalls, and could reach these servers. However, it appears that our ASA5516 is acting as a Proxy for the server, so I cannot "see" into the Partner network to assure the path is valid.

What configuration option do I need to change to stop the ASA5516 from responding for the remote servers/sites?

 

Z:\>tracert xxxx.xxxx.xx.site

Tracing route to xxxx.xxxx.xx.site [xx.xx.xx.37]
over a maximum of 30 hops:

1 1 ms <1 ms <1 ms 1xx.x.x.1 <-- Core Router
2 <1 ms <1 ms <1 ms xxxx.xxxx.xx.site [xx.xx.xx.37] <--ASA5516 firewall
3 * * * Request timed out. <--same response to 30 hops
4 ^C
Z:\>

2 Replies 2

Hi,

To permit return ICMP traffic to be permitted modify your ACL

 

access-list OUTSIDE_IN extended permit icmp any any time-exceeded
access-list OUTSIDE_IN extended permit icmp any any unreachable

To make the ASA appear as a hop in the traceroute you would need to decrement the ttl.

 

policy-map global_policy
class class-default
set connection decrement-ttl

Here is a guide for you with more information.

 

HTH

Thank you, but as we "Trust" the partner network, we already allow all ICMP from their networks back through our firewall.

The issue isn't return traffic, but the ASA responding FOR the Remote servers. (It shows valid Response and the "END Server" DNS resolution and IP on the Firewall Traceroute hop (second hop, not the 5th/6th hop where the Server actually resides!)).

 

I need to find how to make the firewall NOT proxy the end-response traceroute destination...

Review Cisco Networking for a $25 gift card