07-13-2011 07:11 AM - edited 03-11-2019 01:58 PM
Hi All
To show up the ASA as a hop in a traceroute, one can use the 'set connection decrement-ttl' feature in a policy map.
During my tests I recognized, that this behaviour only affects IPv4 traffic.
An IPv6 traceroute still does not show the ASA as a hop.
How can I configure the ASA to show up as a hop in an IPv6 traceroute?
The ASA is a 5520 with v8.4(1) installed.
Thanks & regards
Patrik
07-14-2011 12:29 AM
Hi Patrik,
Do you have an access-list permitting icmp traffic? Here is a link on how to configure the ACL:
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/acl_ipv6.html#wp1076008
Here's an example:
hostname(config)# ipv6 access-list acl_grp permit tcp any host 3001:1::203:A0FF:FED6:162D
Hope this helps!
Regards,
Anu
P.S. Please mark this question as answered if it has been resolved. Do rate helpful posts.
07-14-2011 12:48 AM
Hi Anu
Of course I have an ACL for ICMPv6 through the ASA. But this does not solve my problem.
I want to see the ASA as a hop in a IPv6 traceroute.
To achieve this, the ASA has to decrement the TTL of each packets and send an 'icmp time-exceeded' if it recieves a packet with TTL of 1.
For IPv4 this works fine with the 'set connection decrement-ttl'.
regards
Patrik
07-14-2011 04:41 AM
Hi Patrik,
Are you able to ping the directly connected ASA inside interface? could you post your "sh run" here?
Regards,
Anu
07-14-2011 07:04 AM
Hi Anu
Yes, I'm able to ping the inside interface from an inside net. And I'm able to ping the outside interface from any outside net. But my problem is not related to ping. It's about traceroute which is not the same.
Here are the relevant parts of the 'sh run'. It's a bit obfuscated due to security restrictions.
ASA Version 8.4(1)
!
hostname uzhfwidtest1
multicast-routing
names
!
interface GigabitEthernet0/0
description outside trunk
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/0.1
vlan xxx
nameif outside
security-level 0
ip address 130.60.xxx.xxx xxx.xxx.xxx.xxx
ipv6 address 2001:x:x:x::5/64
ipv6 enable
ospf authentication-key *****
!
interface GigabitEthernet0/0.2
vlan xxx
nameif inside
security-level 100
ip address 130.60.xxx.xxx xxx.xxx.xxx.xxx
ipv6 address 2001:x:x:x::1/64
ipv6 enable
!
interface GigabitEthernet0/1
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
management-only
!
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup outside
same-security-traffic permit intra-interface
object-group icmp-type UZHICMP
icmp-object echo
icmp-object time-exceeded
icmp-object unreachable
access-list inside remark ICMP
access-list inside extended permit icmp any any object-group UZHICMP
access-list inside remark allow all
access-list inside extended permit ip any any
access-list inside remark abschliessendes deny
access-list inside extended deny ip any any
access-list outside remark ICMP
access-list outside extended permit icmp any any object-group UZHICMP
access-list outside remark abschliessendes deny
access-list outside extended deny ip any any
mtu outside 1500
mtu management 1500
mtu inside 1500
ipv6 route outside ::/0 2001:x:x:x::1
ipv6 access-list inside_access_ipv6_in remark ICMP
ipv6 access-list inside_access_ipv6_in permit icmp6 any any
ipv6 access-list inside_access_ipv6_in permit ip any any
ipv6 access-list outside_access_ipv6_in remark ICMP
ipv6 access-list outside_access_ipv6_in permit icmp6 any any
ipv6 access-list outside_access_ipv6_in deny ip any any
icmp unreachable rate-limit 10 burst-size 10
icmp permit any echo outside
icmp permit any echo-reply outside
icmp deny any outside
icmp permit any echo inside
icmp permit any echo-reply inside
icmp deny any inside
arp timeout 14400
access-group outside in interface outside
access-group outside_access_ipv6_in in interface outside
access-group inside in interface inside
access-group inside_access_ipv6_in in interface inside
!
router ospf 1
router-id 130.60.xxx.xxx
network 130.60.xxx.xxx xxx.xxx.xxx.xxx area 0
area 0 authentication
log-adj-changes
redistribute connected subnets
!
timeout xlate 3:00:00
timeout conn 72:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http redirect outside 80
service resetinbound
telnet timeout 5
ssh 130.60.xxx.xxx xxx.xxx.xxx.xxx outside
ssh timeout 60
console timeout 60
management-access inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map inspection_default
match default-inspection-traffic
!
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
inspect dns
class class-default
set connection random-sequence-number disable
set connection decrement-ttl
!
service-policy global_policy global
uzhfwidtest1#
07-14-2011 07:22 AM
Hi Patrik,
You need to match a class-map:
class-map class-default
match any
Hope this helps!
Regards,
Anu
P.S.Please mark this question as answered if it has been resolved. Do rate helpful posts. Thanks!
07-14-2011 07:27 AM
No, you're wrong. The class 'class-default' is a default class-map which has not to be defined.
uzhfwidtest1(config)# class-map class-default
ERROR: % class-default is a well-known class and is not configurable under class-map
regards
Patrik
07-15-2011 12:27 AM
Hi Patrik,
Could you try this:
ipv6 access-list outside_access_ipv6_in permit icmp6 any any time-exceeded
Regards,
Anu
04-02-2019 10:38 AM
Long time ago, but it's a open feature request: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCtt96454
12-02-2020 10:12 AM
Was just looking at your feature request, and it looks like it still isn't resolved? How has this not already been fixed?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide