cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5096
Views
0
Helpful
9
Replies

Show ASA in IPv6 tracreoute

patrik.spiess
Level 1
Level 1

Hi All

To show up the ASA as a hop in a traceroute, one can use the 'set connection decrement-ttl' feature in a policy map.

During my tests I recognized, that this behaviour only affects IPv4 traffic.

An IPv6 traceroute still does not show the ASA as a hop.

How can I configure the ASA to show up as a hop in an IPv6 traceroute?

The ASA is a 5520 with v8.4(1) installed.

Thanks & regards

Patrik

9 Replies 9

Anu M Chacko
Cisco Employee
Cisco Employee

Hi Patrik,

Do you have an access-list permitting icmp traffic? Here is a link on how to configure the ACL:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/acl_ipv6.html#wp1076008

Here's an example:

hostname(config)# ipv6 access-list acl_grp  permit tcp any host  3001:1::203:A0FF:FED6:162D

Hope this helps!

Regards,

Anu

P.S. Please mark this question as answered if it has been resolved. Do rate helpful posts.

Hi Anu

Of course I have an ACL for ICMPv6 through the ASA. But this does not solve my problem.

I want to see the ASA as a hop in a IPv6 traceroute.

To achieve this, the ASA has to decrement the TTL of each packets and send an 'icmp time-exceeded' if it recieves a packet with TTL of 1.

For IPv4 this works fine with the 'set connection decrement-ttl'.

regards

Patrik

Hi Patrik,

Are you able to ping the directly connected ASA inside interface? could you post your "sh run" here?

Regards,

Anu

Hi Anu

Yes, I'm able to ping the inside interface from an inside net. And I'm able to ping the outside interface from any outside net. But my problem is not related to ping. It's about traceroute which is not the same.

Here are the relevant parts of the 'sh run'. It's a bit obfuscated due to security restrictions.

ASA Version 8.4(1)

!

hostname uzhfwidtest1

multicast-routing

names

!

interface GigabitEthernet0/0

description outside trunk

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/0.1

vlan xxx

nameif outside

security-level 0

ip address 130.60.xxx.xxx xxx.xxx.xxx.xxx

ipv6 address 2001:x:x:x::5/64

ipv6 enable 

ospf authentication-key *****

!

interface GigabitEthernet0/0.2

vlan xxx

nameif inside

security-level 100

ip address 130.60.xxx.xxx xxx.xxx.xxx.xxx

ipv6 address 2001:x:x:x::1/64

ipv6 enable

!

interface GigabitEthernet0/1

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx

management-only

!

ftp mode passive

clock timezone CEST 1

clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00

dns domain-lookup outside

same-security-traffic permit intra-interface

object-group icmp-type UZHICMP

icmp-object echo

icmp-object time-exceeded

icmp-object unreachable

access-list inside remark ICMP

access-list inside extended permit icmp any any object-group UZHICMP

access-list inside remark allow all

access-list inside extended permit ip any any

access-list inside remark abschliessendes deny

access-list inside extended deny ip any any

access-list outside remark ICMP

access-list outside extended permit icmp any any object-group UZHICMP

access-list outside remark abschliessendes deny

access-list outside extended deny ip any any

mtu outside 1500

mtu management 1500

mtu inside 1500

ipv6 route outside ::/0 2001:x:x:x::1

ipv6 access-list inside_access_ipv6_in remark ICMP

ipv6 access-list inside_access_ipv6_in permit icmp6 any any

ipv6 access-list inside_access_ipv6_in permit ip any any

ipv6 access-list outside_access_ipv6_in remark ICMP

ipv6 access-list outside_access_ipv6_in permit icmp6 any any

ipv6 access-list outside_access_ipv6_in deny ip any any

icmp unreachable rate-limit 10 burst-size 10

icmp permit any echo outside

icmp permit any echo-reply outside

icmp deny any outside

icmp permit any echo inside

icmp permit any echo-reply inside

icmp deny any inside

arp timeout 14400

access-group outside in interface outside

access-group outside_access_ipv6_in in interface outside

access-group inside in interface inside

access-group inside_access_ipv6_in in interface inside

!

router ospf 1

router-id 130.60.xxx.xxx

network 130.60.xxx.xxx xxx.xxx.xxx.xxx area 0

area 0 authentication

log-adj-changes

redistribute connected subnets

!

timeout xlate 3:00:00

timeout conn 72:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http redirect outside 80

service resetinbound

telnet timeout 5

ssh 130.60.xxx.xxx xxx.xxx.xxx.xxx outside

ssh timeout 60

console timeout 60

management-access inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

!

class-map inspection_default

match default-inspection-traffic

!

policy-map global_policy

class inspection_default

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

  inspect icmp

  inspect dns

class class-default

  set connection random-sequence-number disable

  set connection decrement-ttl

!

service-policy global_policy global

uzhfwidtest1#

Hi Patrik,

You need to match a class-map:

class-map class-default

match any

Hope this helps!

Regards,

Anu

P.S.Please mark this question as answered if it has been resolved. Do rate helpful posts. Thanks!

No, you're wrong. The class 'class-default' is a default class-map which has not to be defined.

uzhfwidtest1(config)# class-map class-default

ERROR: % class-default is a well-known class and is not configurable under class-map

regards

Patrik

Hi Patrik,

Could you try this:

ipv6 access-list outside_access_ipv6_in permit icmp6 any any time-exceeded

Regards,

Anu

greky1989
Level 1
Level 1

Long time ago, but it's a open feature request: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCtt96454

Was just looking at your feature request, and it looks like it still isn't resolved?  How has this not already been fixed?

Review Cisco Networking for a $25 gift card