traceroute response issues, on ASA5505?

onetechit · ‎04-04-2013

I am having some odd traceroute issues coming from clients behind my ASA5505.

ASA Version: 9.1(1)

ASDM Version: 7.1(1)52

Firewall Mode: Routed

Using ASDM I have modified the Rule Actions on the default service policy, to inspect ICMP. I have also added the following two rules to the outside interface on the firewall:

permit Source: Any4 to Destination: Any4 for Service: icmp

permit Source: any6 to Destination: Any6 for Service: icmp6

If I then try to perform a traceroute from the ASA itself, the traceroutes comes back correct, such as:

>traceroute www.google.com

1 10.1.10.1 0 msec 0 msec 0 msec

2 67.180.16.1 20 msec 10 msec 20 msec

3 te-0-0-0-8-ur05.santaclara.ca.sfba.comcast.net (68.85.191.33) 20 msec 10 msec 10 msec

4 te-1-1-0-9-ar01.sfsutro.ca.sfba.comcast.net (69.139.198.178) 30 msec

te-1-1-0-7-ar01.sfsutro.ca.sfba.comcast.net (69.139.198.174) 20 msec

te-1-1-0-6-ar01.sfsutro.ca.sfba.comcast.net (69.139.198.170) 10 msec

5 he-1-7-0-0-cr01.sanjose.ca.ibone.comcast.net (68.86.90.153) 20 msec 20 msec 20 msec

6 pos-0-7-0-0-pe01.529bryant.ca.ibone.comcast.net (68.86.88.202) 30 msec 10 msec 60 msec

7 66.208.228.226 20 msec 20 msec 20 msec

8 72.14.232.136 20 msec 20 msec 20 msec

9 64.233.174.19 20 msec 20 msec 20 msec

10 www.google.com (74.125.224.81) 20 msec 10 msec 20 msec

However, if I then try to perform a traceroute from a client behind the NAT side of the firewall, the traceroutes come differently, where I don't actually get to see the IP address of the hops:

Tracing route to www.google.com [74.125.239.84] over a maximum of 30 hops:

1 1 ms <1 ms <1 ms 74.125.239.84

2 36 ms 23 ms 23 ms 74.125.239.84

3 10 ms 10 ms 10 ms 74.125.239.84

4 15 ms 11 ms 22 ms 74.125.239.84

5 20 ms 23 ms 22 ms 74.125.239.84

6 15 ms 14 ms 29 ms 74.125.239.84

7 13 ms 12 ms 14 ms 74.125.239.84

8 13 ms 29 ms 12 ms 74.125.239.84

9 56 ms 56 ms 60 ms 74.125.239.84

...

Any idea what needs to be modified in order to allow me to see the correct traceroute hops from behind my firewall?

lcambron · ‎04-04-2013

Robert,

Take a look at this guide:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml#asatrace

you need some commands to allow traceroute on an ASA:

Example:

policy-map global_policy

class class-default

set connection decrement-ttl

icmp unreachable rate-limit 10 burst-size 5

And allow icmp time-exceeded on the outside interface

Regards,

Felipe.

onetechit · ‎04-04-2013

Is this because I am now running ASA 9.1(1)? I seem to recall the configuration options that I listed in the original post seemed to make traceroute work without issue under ASA 8.4(3).

Also, if I continue to experience this issue, can I downgrade from 9.1(1) back to 8.4(x) without 'breaking' anything in my config?

Julio Carvajal · ‎04-04-2013

Hello Robert,

Is it working with the configuration changes that my co-worker Felipe provided you ( as those are the ones need it )?

It is not just because you went to 9.0, I mean there are several changes from previous version to this one but the behavior of the Traceroute mechanism still being the same...

If this is not working yet please add the following command:

fixup protocol icmp-error ( This command will allow the ASA to show the IP addresses involed in the exchange of ICMP error messages, by default the ASA will hide them)

Regards,

Remember to rate all of the helpful posts

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC