10-11-2015 07:44 PM - edited 03-11-2019 11:43 PM
Hello all. Unfortunately my google-fu has let me down and I have been unable to resolve this issue on my own. The short of the situation is we have two ASAs in our network. A 5512x running 9.2.4 SMP and nn older 5510 with 9.1.6. The portion of the network that resides behind 5510 is a bunch of IT classrooms that we want traceroute to be able to pass out of. I am able to traceroute from behind the 5512x with no issues and the TTL increments and all that fun stuff. When I attempt to perform a traceroute from behind the 5510 things get weird. It will see every hop as the destination IP. I know the ASA gets kinda funny about doing this kinda thing being it's not a true router in the sense, but I want to see if I can get it working properly so our students/instructors have the best environment to teach from.
This is what a traceroute looks like behind the 5512X
1 2 ms 1 ms 1 ms 192.168.1.1 <---- (5512X)
2 9 ms 9 ms 9 ms 96.120.107.109
3 9 ms 9 ms 9 ms 162.151.74.153
4 11 ms 11 ms 11 ms 68.85.67.1
5 29 ms 16 ms 15 ms 68.86.91.137
6 14 ms 14 ms 12 ms 68.86.82.102
7 152 ms 113 ms 22 ms 173.167.57.234
8 26 ms 15 ms 13 ms 216.239.46.248
9 18 ms 15 ms 15 ms 209.85.143.210
10 21 ms 128 ms 21 ms 216.239.48.154
11 27 ms 21 ms 22 ms 216.239.49.77
12 * * * Request timed out.
13 21 ms 23 ms 23 ms 8.8.8.8
This is what the traceroute looks like behind the 5510
1 1 ms 1 ms 1 ms 172.16.1.1 <-------(5510)
2 2 ms 1 ms 1 ms 8.8.8.8 <-------(5512X)
3 9 ms 9 ms 9 ms 8.8.8.8
4 9 ms 9 ms 9 ms 8.8.8.8
5 11 ms 11 ms 11 ms 8.8.8.8
6 29 ms 16 ms 15 ms 8.8.8.8
7 14 ms 14 ms 12 ms 8.8.8.8
8 152 ms 113 ms 22 ms 8.8.8.8
9 26 ms 15 ms 13 ms 8.8.8.8
10 18 ms 15 ms 15 ms 8.8.8.8
11 21 ms 128 ms 21 ms 8.8.8.8
12 27 ms 21 ms 22 ms 8.8.8.8
13 * * * Request timed out.
14 21 ms 23 ms 23 ms 8.8.8.8
The classroom scopes are not routed in the traditional sense to the 5512x. Their IP scope is first NATTED (Most specifically NAT overload/PAT) and then sent as a single IP across the rest of our managed network. Here are the settings which I have already applied to both ASA's regarding the ability to traceroute
permits on the appropriate IP scopes on both the inbound/outbound interfaces
icmp echo
icmp echo-reply
icmp unreachable
icmp time-exceeded
icmp traceroute
class My_Specified_class_for_this_segment
set connection decrement-ttl
icmp unreachable rate-limit 10 burst-size 5
I'm hoping there is a simple protocol I have overlooked turning on. If you need more of the config let me know, but these are the parts at this point I feel pertain to the conversation. A simple JPG has been attached to give a better visual of the layout. Thanks
Solved! Go to Solution.
10-11-2015 09:34 PM
Hello Jason,
By any means do you have
inspect icmp error
Enable on the global policy map ?
If not try adding it or try the command
fixup protocol icmp error to enable it
Let me know of the results
Regards,
Rodrigo
10-11-2015 09:34 PM
Hello Jason,
By any means do you have
inspect icmp error
Enable on the global policy map ?
If not try adding it or try the command
fixup protocol icmp error to enable it
Let me know of the results
Regards,
Rodrigo
10-19-2015 05:22 AM
Rodrigo,
Thanks a bunch for the reply. Sorry I didn't get back to you sooner on this. This was definitely the fix. Inspect ICMP error must be enabled on the 5512X. Without it enabled it most certainly exhibit the behavior I described earlier.
If I could trouble you further, could you give a brief explanation of why the behavior I saw could be correlated to this setting not being enabled? Thanks a bunch and again sorry for the delayed reply.
Jason
10-19-2015 06:06 PM
Hello Jason,
Use the inspect icmp error command to create xlates for intermediate hops that send ICMP error messages, based on the static/NAT configuration. By default, the security appliance hides the IP addresses of intermediate hops. However, using the inspect icmp error command makes the intermediate hop IP addresses visible. The adaptive security appliance overwrites the packet with the translated IP addresses.
Since the ASA was not creating an xlate for the hops the ASA was returning the destination IP 8.8.8.8 instead of the actual hop for all hops since the only matching session for that icmp was the 8.8.8.8 session.
Hope it helps
Rodrigo
10-15-2015 06:00 AM
Hi,
Could you provide the "sh nat detail " output from 5512X
Regards,
Ergin
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide