cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6344
Views
4
Helpful
4
Replies

traceroute through an ASA

walter1972
Level 1
Level 1

I'm trying to permit tracetoute (from an internal server) through my ASA to any host on the outside. So far I can only find information relating to traceroute to show the ASA...

policy-map global_default

class class-default

set connection decrement-ttl

icmp unreachables rate-limit 10 burst-size 5

icmp permit any outside

icmp permit any inside

access-list OUTSIDE_IN permit icmp any any

access-group OUTSIDE_IN in interface outside

How can I simply allow traceroute through the ASA - do I need to look into setting up an access-list for the Unix/Windows traceroute ports?

Perhaps someone can post a similar examle for me?

Many thanks!!!

4 Replies 4

JORGE RODRIGUEZ
Level 10
Level 10

Try this

example from link bellow

remove

no access-list OUTSIDE_IN permit icmp any any

add

access-list OUTSIDE_IN permit icmp any any echo-reply

access-list OUTSIDE_IN permit icmp any any source-quench

access-list OUTSIDE_IN permit icmp any any unreachable

access-list OUTSIDE_IN permit icmp any any time-exceeded

access-group OUTSIDE_IN in interface outside

policy-map global_policy

class inspection_default

inspect icmp

Reference this link for more details on how PIX/ASA handles ICMP and traceroutes.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml#topic0

Additionaly , would not recommend having icmp permit any outside unless you are testing ICMP on outside interface.. your outside interface will be pingable from any source from outside.

this should be no impact in disabling icmp on outside interface.

no icmp permit any outside

icmp deny any outside

Regards

Jorge Rodriguez

you can add

inspect icmp error

in addition to inspect icmp

and only allow

access-list OUTSIDE_IN permit icmp any any unreachable

access-list OUTSIDE_IN permit icmp any any time-exceeded

via acl.

So are you saying I don't need the set connection decrement-ttl command?

Also I have seen this ACL mentioned in another post:

http://forums.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Security&topic=Firewalling&topicID=.ee6e1fa&fromOutline=&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.2cbe3ac2

access-list outside_access_in line 3 permit udp host x.x.x.x object-group TCP-UDP host x.x.x.x object-group TCP-UDP

access-list outside_access_in line 3 permit udp host x.x.x.x eq echo host x.x.x.x eq echo (hitcnt=0)

access-list outside_access_in line 3 permit udp host x.x.x.x eq echo host x.x.x.x range 33400 33600 (hitcnt=0)

access-list outside_access_in line 3 permit udp host x.x.x.x range 33400 33600 host x.x.x.x eq echo (hitcnt=0)

access-list outside_access_in line 3 permit udp host x.x.x.x range 33400 33600 host x.x.x.x range 33400 33600 (hitcnt=0)

Again, is this not necessary?

Thanks for helping everyone!!

This command is only required if you want the ASA show as a hop count when doing traceroute.

see guideline(set connection decrement-ttl)

http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/s1_72.html#wp1299054

B.Regards

Jorge Rodriguez
Review Cisco Networking for a $25 gift card