Solved: Re: not allow traceroute in asa

weichenyang · ‎09-15-2022

how to config asa in order to not allow traceroute to asa outside interface?

MHM Cisco World · ‎10-09-2022

There are two behave for ASA for ICMP
ICMP pass through
and
ICMP toward ASA interface

you want to deny the ICMP toward the ASA interface and this need special command
icmp { permit | deny } ip_address net_mask [ icmp_type ] if_name
for more info about command please check below link

https://www.cisco.com/c/en/us/td/docs/security/asa/asa-cli-reference/I-R/asa-command-ref-I-R/ia-inr-commands.html#wp1366339900

View solution in original post

Aref Alsouqi · ‎10-11-2022

When you apply an ACL on the ASA, that will be subject to the transit traffic passing through the ASA, it won't take any effect on the traffic generated or destined by/to the ASA itself. However, if you want to allow some ICMP traffic destined to the ASA itself you can use the command "icmp permit ..." as already mentioned, for example, a common ICMP types you might want to allow would be the unreachable and time exceeded. You can do that by issuing the commands "icmp permit any unreachable outside" and "icmp permit any time-exceeded outside". If you don't specify any "icmp permit ..." command the ASA would block any ICMP traffic by default. Another option that you can use which will look at the traffic destined to the ASA itself would be using the keyword "control-plane" alongside the "access-group" command. For example, say if you defined your ACL and you want to apply it to look at the traffic destined to the ASA then you can use the command "access-group ACL-NAME in interface outside control-plane". This option is not widely used and I don't think it is recommended neither.

View solution in original post

Rob Ingram · ‎09-15-2022

@weichenyang as default the ASA will not show up in traceroute....unless you've configure a policy-map to decrement the ttl.

MHM Cisco World · ‎09-15-2022

the ASA will not appear in traceroute by defualt (need policy to config) but it can allow ICMP ttl expire to pass and hence the device behind the ASA is appear.

Ricardo Romero · ‎09-15-2022

Hey,

If you just want to allow traceroute, all you need to do is permit the interesting traffic (ICMP time exceeded and ICMP unreachable). If it's UDP traceroute, permit port range 33434 to 33464.

If you also want the ASA to appear as a hop in the traceroute, you need to do something like this:

asa(config)# policy-map global_policy
asa(config-pmap)# class class-default
asa(config-pmap-c)# set connection decrement-ttl

weichenyang · ‎09-15-2022

thanks for all reply.

unless you've configure a policy-map to decrement the ttl.----there is no policy about decrement the ttl.

but it can allow ICMP ttl expire to pass and hence the device behind the ASA is appear. -----how to check the reason is icmp ttl expire?

If you just want to allow traceroute---not allow traceroute,i will remove icmp unreachable rate-limit 1 burst-size 1

If you also want the ASA to appear as a hop in the traceroute---- do not want asa to appear as a hop in the traceroute

MHM Cisco World · ‎09-16-2022

https://www.speaknetworks.com/enable-icmp-inspection-to-allow-ping-traffic-passing-asa/

access-list OUTSIDE extended permit icmp any4 any4 time-exceeded

or ICMP inspection

weichenyang · ‎09-19-2022

no inspect icmp

no access-list Outside-in extended permit icmp any any

no icmp unreachable rate-limit 1 burst-size 1

still fail.

MHM Cisco World · ‎09-20-2022

i will run small lab for you

MHM Cisco World · ‎10-03-2022

Hi Friend
are you still need solution for this issue ?

Marvin Rhoads · ‎10-03-2022

You may have other settings that affect the behavior.

Please share the output of "show run | i icmp" and "show run access-group".

weichenyang · ‎10-08-2022

icmp unreachable rate-limit 1 burst-size 1
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
inspect icmp error

access-group Outside-in in interface Outside

thanks

MHM Cisco World · ‎10-09-2022

There are two behave for ASA for ICMP
ICMP pass through
and
ICMP toward ASA interface

you want to deny the ICMP toward the ASA interface and this need special command
icmp { permit | deny } ip_address net_mask [ icmp_type ] if_name
for more info about command please check below link

https://www.cisco.com/c/en/us/td/docs/security/asa/asa-cli-reference/I-R/asa-command-ref-I-R/ia-inr-commands.html#wp1366339900

Aref Alsouqi · ‎10-11-2022

When you apply an ACL on the ASA, that will be subject to the transit traffic passing through the ASA, it won't take any effect on the traffic generated or destined by/to the ASA itself. However, if you want to allow some ICMP traffic destined to the ASA itself you can use the command "icmp permit ..." as already mentioned, for example, a common ICMP types you might want to allow would be the unreachable and time exceeded. You can do that by issuing the commands "icmp permit any unreachable outside" and "icmp permit any time-exceeded outside". If you don't specify any "icmp permit ..." command the ASA would block any ICMP traffic by default. Another option that you can use which will look at the traffic destined to the ASA itself would be using the keyword "control-plane" alongside the "access-group" command. For example, say if you defined your ACL and you want to apply it to look at the traffic destined to the ASA then you can use the command "access-group ACL-NAME in interface outside control-plane". This option is not widely used and I don't think it is recommended neither.

weichenyang · ‎10-12-2022

icmp permit any unreachable outside

thanks