09-15-2022 01:17 AM
how to config asa in order to not allow traceroute to asa outside interface?
Solved! Go to Solution.
10-09-2022 05:33 AM
There are two behave for ASA for ICMP
ICMP pass through
and
ICMP toward ASA interface
you want to deny the ICMP toward the ASA interface and this need special command
icmp { permit | deny } ip_address net_mask [ icmp_type ] if_name
for more info about command please check below link
https://www.cisco.com/c/en/us/td/docs/security/asa/asa-cli-reference/I-R/asa-command-ref-I-R/ia-inr-commands.html#wp1366339900
10-11-2022 01:36 AM
When you apply an ACL on the ASA, that will be subject to the transit traffic passing through the ASA, it won't take any effect on the traffic generated or destined by/to the ASA itself. However, if you want to allow some ICMP traffic destined to the ASA itself you can use the command "icmp permit ..." as already mentioned, for example, a common ICMP types you might want to allow would be the unreachable and time exceeded. You can do that by issuing the commands "icmp permit any unreachable outside" and "icmp permit any time-exceeded outside". If you don't specify any "icmp permit ..." command the ASA would block any ICMP traffic by default. Another option that you can use which will look at the traffic destined to the ASA itself would be using the keyword "control-plane" alongside the "access-group" command. For example, say if you defined your ACL and you want to apply it to look at the traffic destined to the ASA then you can use the command "access-group ACL-NAME in interface outside control-plane". This option is not widely used and I don't think it is recommended neither.
09-15-2022 02:39 AM
@weichenyang as default the ASA will not show up in traceroute....unless you've configure a policy-map to decrement the ttl.
09-15-2022 03:07 AM - edited 09-15-2022 07:48 AM
the ASA will not appear in traceroute by defualt (need policy to config) but it can allow ICMP ttl expire to pass and hence the device behind the ASA is appear.
09-15-2022 07:43 AM
Hey,
If you just want to allow traceroute, all you need to do is permit the interesting traffic (ICMP time exceeded and ICMP unreachable). If it's UDP traceroute, permit port range 33434 to 33464.
If you also want the ASA to appear as a hop in the traceroute, you need to do something like this:
asa(config)# policy-map global_policy asa(config-pmap)# class class-default asa(config-pmap-c)# set connection decrement-ttl
09-15-2022 06:32 PM
thanks for all reply.
unless you've configure a policy-map to decrement the ttl.----there is no policy about decrement the ttl.
but it can allow ICMP ttl expire to pass and hence the device behind the ASA is appear. -----how to check the reason is icmp ttl expire?
If you just want to allow traceroute---not allow traceroute,i will remove icmp unreachable rate-limit 1 burst-size 1
If you also want the ASA to appear as a hop in the traceroute---- do not want asa to appear as a hop in the traceroute
09-16-2022 05:01 AM - edited 09-16-2022 05:02 AM
https://www.speaknetworks.com/enable-icmp-inspection-to-allow-ping-traffic-passing-asa/
access-list OUTSIDE extended permit icmp any4 any4 time-exceeded
or ICMP inspection
09-19-2022 11:12 PM
no inspect icmp
no access-list Outside-in extended permit icmp any any
no icmp unreachable rate-limit 1 burst-size 1
still fail.
09-20-2022 01:00 AM
i will run small lab for you
10-03-2022 03:54 PM
Hi Friend
are you still need solution for this issue ?
10-03-2022 08:45 PM
You may have other settings that affect the behavior.
Please share the output of "show run | i icmp" and "show run access-group".
10-08-2022 06:37 PM
icmp unreachable rate-limit 1 burst-size 1
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
inspect icmp error
access-group Outside-in in interface Outside
thanks
10-09-2022 05:33 AM
There are two behave for ASA for ICMP
ICMP pass through
and
ICMP toward ASA interface
you want to deny the ICMP toward the ASA interface and this need special command
icmp { permit | deny } ip_address net_mask [ icmp_type ] if_name
for more info about command please check below link
https://www.cisco.com/c/en/us/td/docs/security/asa/asa-cli-reference/I-R/asa-command-ref-I-R/ia-inr-commands.html#wp1366339900
10-11-2022 01:36 AM
When you apply an ACL on the ASA, that will be subject to the transit traffic passing through the ASA, it won't take any effect on the traffic generated or destined by/to the ASA itself. However, if you want to allow some ICMP traffic destined to the ASA itself you can use the command "icmp permit ..." as already mentioned, for example, a common ICMP types you might want to allow would be the unreachable and time exceeded. You can do that by issuing the commands "icmp permit any unreachable outside" and "icmp permit any time-exceeded outside". If you don't specify any "icmp permit ..." command the ASA would block any ICMP traffic by default. Another option that you can use which will look at the traffic destined to the ASA itself would be using the keyword "control-plane" alongside the "access-group" command. For example, say if you defined your ACL and you want to apply it to look at the traffic destined to the ASA then you can use the command "access-group ACL-NAME in interface outside control-plane". This option is not widely used and I don't think it is recommended neither.
10-12-2022 06:06 PM
icmp permit any unreachable outside
thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide