04-04-2013 03:34 PM - edited 03-11-2019 06:23 PM
I am having some odd traceroute issues coming from clients behind my ASA5505.
ASA Version: 9.1(1)
ASDM Version: 7.1(1)52
Firewall Mode: Routed
Using ASDM I have modified the Rule Actions on the default service policy, to inspect ICMP. I have also added the following two rules to the outside interface on the firewall:
permit Source: Any4 to Destination: Any4 for Service: icmp
permit Source: any6 to Destination: Any6 for Service: icmp6
If I then try to perform a traceroute from the ASA itself, the traceroutes comes back correct, such as:
>traceroute www.google.com
1 10.1.10.1 0 msec 0 msec 0 msec
2 67.180.16.1 20 msec 10 msec 20 msec
3 te-0-0-0-8-ur05.santaclara.ca.sfba.comcast.net (68.85.191.33) 20 msec 10 msec 10 msec
4 te-1-1-0-9-ar01.sfsutro.ca.sfba.comcast.net (69.139.198.178) 30 msec
te-1-1-0-7-ar01.sfsutro.ca.sfba.comcast.net (69.139.198.174) 20 msec
te-1-1-0-6-ar01.sfsutro.ca.sfba.comcast.net (69.139.198.170) 10 msec
5 he-1-7-0-0-cr01.sanjose.ca.ibone.comcast.net (68.86.90.153) 20 msec 20 msec 20 msec
6 pos-0-7-0-0-pe01.529bryant.ca.ibone.comcast.net (68.86.88.202) 30 msec 10 msec 60 msec
7 66.208.228.226 20 msec 20 msec 20 msec
8 72.14.232.136 20 msec 20 msec 20 msec
9 64.233.174.19 20 msec 20 msec 20 msec
10 www.google.com (74.125.224.81) 20 msec 10 msec 20 msec
However, if I then try to perform a traceroute from a client behind the NAT side of the firewall, the traceroutes come differently, where I don't actually get to see the IP address of the hops:
Tracing route to www.google.com [74.125.239.84] over a maximum of 30 hops:
1 1 ms <1 ms <1 ms 74.125.239.84
2 36 ms 23 ms 23 ms 74.125.239.84
3 10 ms 10 ms 10 ms 74.125.239.84
4 15 ms 11 ms 22 ms 74.125.239.84
5 20 ms 23 ms 22 ms 74.125.239.84
6 15 ms 14 ms 29 ms 74.125.239.84
7 13 ms 12 ms 14 ms 74.125.239.84
8 13 ms 29 ms 12 ms 74.125.239.84
9 56 ms 56 ms 60 ms 74.125.239.84
...
Any idea what needs to be modified in order to allow me to see the correct traceroute hops from behind my firewall?
04-04-2013 07:36 PM
Robert,
Take a look at this guide:
you need some commands to allow traceroute on an ASA:
Example:
policy-map global_policy
class class-default
set connection decrement-ttl
icmp unreachable rate-limit 10 burst-size 5
And allow icmp time-exceeded on the outside interface
Regards,
Felipe.
04-04-2013 10:22 PM
Is this because I am now running ASA 9.1(1)? I seem to recall the configuration options that I listed in the original post seemed to make traceroute work without issue under ASA 8.4(3).
Also, if I continue to experience this issue, can I downgrade from 9.1(1) back to 8.4(x) without 'breaking' anything in my config?
04-04-2013 11:17 PM
Hello Robert,
Is it working with the configuration changes that my co-worker Felipe provided you ( as those are the ones need it )?
It is not just because you went to 9.0, I mean there are several changes from previous version to this one but the behavior of the Traceroute mechanism still being the same...
If this is not working yet please add the following command:
fixup protocol icmp-error ( This command will allow the ASA to show the IP addresses involed in the exchange of ICMP error messages, by default the ASA will hide them)
Regards,
Remember to rate all of the helpful posts
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide