cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2350
Views
10
Helpful
4
Replies

Issue with Traceroute with Cisco ASA's

kossuth78
Level 1
Level 1

Hello all.  Unfortunately my google-fu has let me down and I have been unable to resolve this issue on my own.  The short of the situation is we have two ASAs in our network.  A 5512x running 9.2.4 SMP and nn older 5510 with 9.1.6.  The portion of the network that resides behind 5510 is a bunch of IT classrooms that we want traceroute to be able to pass out of.  I am able to traceroute from behind the 5512x with no issues and the TTL increments and all that fun stuff.  When I attempt to perform a traceroute from behind the 5510 things get weird.  It will see every hop as the destination IP.  I know the ASA gets kinda funny about doing this kinda thing being it's not a true router in the sense, but I want to see if I can get it working properly so our students/instructors have the best environment to teach from. 

 

This is what a traceroute looks like behind the 5512X

  1     2 ms     1 ms     1 ms  192.168.1.1                                       <---- (5512X)
  2     9 ms     9 ms     9 ms  96.120.107.109
  3     9 ms     9 ms     9 ms  162.151.74.153
  4    11 ms    11 ms    11 ms  68.85.67.1
  5    29 ms    16 ms    15 ms  68.86.91.137
  6    14 ms    14 ms    12 ms  68.86.82.102
  7   152 ms   113 ms    22 ms  173.167.57.234
  8    26 ms    15 ms    13 ms  216.239.46.248
  9    18 ms    15 ms    15 ms  209.85.143.210
 10    21 ms   128 ms    21 ms  216.239.48.154
 11    27 ms    21 ms    22 ms  216.239.49.77
 12     *        *        *     Request timed out.
 13    21 ms    23 ms    23 ms  8.8.8.8

 

This is what the traceroute looks like behind the 5510 

  1    1 ms      1 ms     1 ms 172.16.1.1       <-------(5510)

  2     2 ms     1 ms     1 ms  8.8.8.8            <-------(5512X)
  3     9 ms     9 ms     9 ms  8.8.8.8
  4     9 ms     9 ms     9 ms  8.8.8.8

  5    11 ms    11 ms    11 ms  8.8.8.8
  6    29 ms    16 ms    15 ms  8.8.8.8
  7    14 ms    14 ms    12 ms  8.8.8.8
  8   152 ms   113 ms    22 ms  8.8.8.8
  9    26 ms    15 ms    13 ms  8.8.8.8
 10    18 ms    15 ms    15 ms  8.8.8.8
 11    21 ms   128 ms    21 ms  8.8.8.8
 12    27 ms    21 ms    22 ms  8.8.8.8
 13     *        *        *     Request timed out.
 14    21 ms    23 ms    23 ms  8.8.8.8 

 

The classroom scopes are not routed in the traditional sense to the 5512x.  Their IP scope is first NATTED (Most specifically NAT overload/PAT) and then sent as a single IP across the rest of our managed network.  Here are the settings which I have already applied to both ASA's regarding the ability to traceroute

 

permits on the appropriate IP scopes on both the inbound/outbound interfaces

icmp echo

icmp echo-reply

icmp unreachable

icmp time-exceeded

icmp traceroute

 

class My_Specified_class_for_this_segment
  set connection decrement-ttl

icmp unreachable rate-limit 10 burst-size 5

 

I'm hoping there is a simple protocol I have overlooked turning on.  If you need more of the config let me know, but these are the parts at this point I feel pertain to the conversation.  A simple JPG has been attached to give a better visual of the layout.  Thanks

 

 

1 Accepted Solution

Accepted Solutions

rodrigog
Level 1
Level 1

Hello Jason,

By any means do you have

inspect icmp error

Enable on the global policy map ?

If not try adding it or try the command

fixup protocol icmp error  to enable it 

Let me know of the results 

Regards,

Rodrigo

View solution in original post

4 Replies 4

rodrigog
Level 1
Level 1

Hello Jason,

By any means do you have

inspect icmp error

Enable on the global policy map ?

If not try adding it or try the command

fixup protocol icmp error  to enable it 

Let me know of the results 

Regards,

Rodrigo

Rodrigo,

 

Thanks a bunch for the reply.  Sorry I didn't get back to you sooner on this.  This was definitely the fix.  Inspect ICMP error must be enabled on the 5512X.  Without it enabled it most certainly exhibit the behavior I described earlier.  

If I could trouble you further, could you give a brief explanation of why the behavior I saw could be correlated to this setting not being enabled?  Thanks a bunch and again sorry for the delayed reply.

 

Jason   

Hello Jason,

Use the inspect icmp error command to create xlates for intermediate hops that send ICMP error messages, based on the static/NAT configuration. By default, the security appliance hides the IP addresses of intermediate hops. However, using the inspect icmp error command makes the intermediate hop IP addresses visible. The adaptive security appliance overwrites the packet with the translated IP addresses.

Since the ASA was not creating an xlate for the hops the ASA was returning the destination IP 8.8.8.8 instead of the actual hop for all hops since the only matching session for that icmp was the 8.8.8.8 session.

Hope it helps

Rodrigo 

 

ealiev
Cisco Employee
Cisco Employee

Hi,

Could you provide the "sh nat detail " output from 5512X

Regards,

Ergin

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: