12-09-2013 02:27 PM - edited 03-11-2019 08:15 PM
Hi all,
I have an ASA 5510
Cisco Adaptive Security Appliance Software Version 8.2(1)
Device Manager Version 7.1(1)52
Compiled on Tue 05-May-09 22:45 by builders
System image file is "disk0:/asa821-k8.bin"
Config file at boot was "startup-config"
Hardware: ASA5510, 1024 MB RAM, CPU Pentium 4 Celeron 1600 MHz
and i previously had traceroute working but recently had a contractor do some work on our unit and since then traceroute has not worked through the unit (inside -> outside). I have had a look to try and ascertain the cause of this through the usual googling for 'traceroute through pix/asa' and have all the necessary rules in place (obviously not however), but it doesn't work. I have been looking at http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml#trace
and http://www.packetu.com/2009/10/09/traceroute-through-the-asa/
and http://www.openna.com/docs/enable_traceroute_asa.php
which i think i have covered off below. I'm sure its something simple, but I cannot seem to see the forrest through the trees
Could someone please point out what I am missing?
access-group outside_acl_in in interface outside
access-group inside_acl_in in interface inside
access-group dmz_acl_in in interface dmz
access-list outside_acl_in extended permit icmp any any echo-reply
access-list outside_acl_in extended permit icmp any any source-quench
access-list outside_acl_in extended permit icmp any any unreachable
access-list outside_acl_in extended permit icmp any any time-exceeded
policy-map global_policy
class inspection_default
inspect icmp
inspect icmp error
I can PM the full config to someone should that be necessary.
TIA
12-09-2013 03:02 PM
Hi,
Could start with a simple "packet-tracer" command output.
If for some reason they added a rule that blocks the ICMP messages now.
packet-tracer input inside icmp
Post the output
- Jouni
12-09-2013 03:06 PM
hi, Thanks for offering to assist, below are the results you requested (i have obfuscated our external IP)
ASA01# packet-tracer input inside icmp 192.168.0.215 8 0 8.8.8.8
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_acl_in in interface inside
access-list inside_acl_in extended permit icmp any any
Additional Information:
Phase: 5
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Config:
class-map class-default
match any
policy-map global_policy
class class-default
set connection decrement-ttl
service-policy global_policy global
Additional Information:
Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:
Phase: 8
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type:
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 10
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (inside,dmz) 192.168.0.0 192.168.0.0 netmask 255.255.0.0
match ip inside 192.168.0.0 255.255.0.0 dmz any
static translation to 192.168.0.0
translate_hits = 0, untranslate_hits = 0
Additional Information:
Phase: 11
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside) 1 192.168.0.0 255.255.0.0
match ip inside 192.168.0.0 255.255.0.0 outside any
dynamic translation to pool 1 (
translate_hits = 38160256, untranslate_hits = 1844948
Additional Information:
Dynamic translate 192.168.0.215/0 to
Phase: 12
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 13
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 60568864, packet dispatched to next module
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
12-09-2013 03:17 PM
Hi,
Have you monitored the logs through ASDM while you have tried the trace route? has anything been getting blocked by the ASA?
Have you tried the Traceroute from different hosts on the network or perhaps even network devices?
Does ASA traceroute succeed?
traceroute 8.8.8.8 numeric
- Jouni
12-09-2013 03:28 PM
hi Jouni,
I have tried it on multiple PC's yes. the traffic all goes through our core switch first but that is not setup for firewalling, just switching. If I set my PC's default gateway to the ASA even, i get the same blocked traffic, just *'s until it reaches hop 23 which is the destination host.
In reference to checking the logs via the ADSM, what is the best way to achieve this? does something need to be turned on before it will work? I have tried checking the logs on it before but it doesnt show anything which leads me to believe that I am doing it wrong .
your assistance is greatly appreciated.
12-09-2013 04:24 PM
Hello Aaron,
Well as everything seems to be allowed through the ASA let's do a capture (packets never lie)
capture capin interface inside match icmp host 192.168.0.215 host 8.8.8.8
cap capout interface outside match icmp host x.x.x.x host 8.8.8.8
cap asp type asp-drop all circular-buffer
Then do a traceroute to 8.8.8.8 from an internal PC and provide
show cap capin
show cap capout
show cap asp | include 8.8.8.8
Rate all of the helpful posts!!!
Regards,
Jcarvaja
Follow me on http://laguiadelnetworking.com
12-09-2013 05:21 PM
tracert -d 8.8.8.8
Tracing route to 8.8.8.8 over a maximum of 30 hops
1 1 ms 2 ms 1 ms 192.168.1.1
2 * * * Request timed out.
3 * * * Request timed out.
4 * * * Request timed out.
5 * * * Request timed out.
6 * * * Request timed out.
7 * * * Request timed out.
8 * * * Request timed out.
9 * * * Request timed out.
10 22 ms 48 ms 23 ms 8.8.8.8
ASA01# capture capin interface inside match icmp host 192.168.0.215 host 8.8.8.8
ASA01# cap capout interface outside match icmp host
ASA01# cap asp type asp-drop all circular-buffer
ASA01# show cap capin
30 packets captured
1: 11:20:57.637372 192.168.0.215 > 8.8.8.8: icmp: echo request
2: 11:21:01.512012 192.168.0.215 > 8.8.8.8: icmp: echo request
3: 11:21:05.512134 192.168.0.215 > 8.8.8.8: icmp: echo request
4: 11:21:09.511509 192.168.0.215 > 8.8.8.8: icmp: echo request
5: 11:21:13.511677 192.168.0.215 > 8.8.8.8: icmp: echo request
6: 11:21:17.511844 192.168.0.215 > 8.8.8.8: icmp: echo request
7: 11:21:21.512302 192.168.0.215 > 8.8.8.8: icmp: echo request
8: 11:21:25.511005 192.168.0.215 > 8.8.8.8: icmp: echo request
9: 11:21:29.511219 192.168.0.215 > 8.8.8.8: icmp: echo request
10: 11:21:33.511753 192.168.0.215 > 8.8.8.8: icmp: echo request
11: 11:21:37.511509 192.168.0.215 > 8.8.8.8: icmp: echo request
12: 11:21:41.510547 192.168.0.215 > 8.8.8.8: icmp: echo request
13: 11:21:45.511539 192.168.0.215 > 8.8.8.8: icmp: echo request
14: 11:21:49.510929 192.168.0.215 > 8.8.8.8: icmp: echo request
15: 11:21:53.511387 192.168.0.215 > 8.8.8.8: icmp: echo request
16: 11:21:57.511539 192.168.0.215 > 8.8.8.8: icmp: echo request
17: 11:22:01.510517 192.168.0.215 > 8.8.8.8: icmp: echo request
18: 11:22:05.510456 192.168.0.215 > 8.8.8.8: icmp: echo request
19: 11:22:09.510456 192.168.0.215 > 8.8.8.8: icmp: echo request
20: 11:22:13.510959 192.168.0.215 > 8.8.8.8: icmp: echo request
21: 11:22:17.510441 192.168.0.215 > 8.8.8.8: icmp: echo request
22: 11:22:21.510517 192.168.0.215 > 8.8.8.8: icmp: echo request
23: 11:22:25.510776 192.168.0.215 > 8.8.8.8: icmp: echo request
24: 11:22:29.510975 192.168.0.215 > 8.8.8.8: icmp: echo request
25: 11:22:33.510578 192.168.0.215 > 8.8.8.8: icmp: echo request
26: 11:22:33.533099 8.8.8.8 > 192.168.0.215: icmp: echo reply
27: 11:22:33.533709 192.168.0.215 > 8.8.8.8: icmp: echo request
28: 11:22:33.581909 8.8.8.8 > 192.168.0.215: icmp: echo reply
29: 11:22:33.582413 192.168.0.215 > 8.8.8.8: icmp: echo request
30: 11:22:33.605849 8.8.8.8 > 192.168.0.215: icmp: echo reply
30 packets shown
ASA01# show cap capout
27 packets captured
1: 11:21:09.511677
2: 11:21:13.511844
3: 11:21:17.511997
4: 11:21:21.512455
5: 11:21:25.511158
6: 11:21:29.511432
7: 11:21:33.511936
8: 11:21:37.511661
9: 11:21:41.510700
10: 11:21:45.511692
11: 11:21:49.511081
12: 11:21:53.511554
13: 11:21:57.511692
14: 11:22:01.510670
15: 11:22:05.510608
16: 11:22:09.510608
17: 11:22:13.511127
18: 11:22:17.510593
19: 11:22:21.510685
20: 11:22:25.510959
21: 11:22:29.511127
22: 11:22:33.510731
23: 11:22:33.533068 8.8.8.8 >
24: 11:22:33.533740
25: 11:22:33.581879 8.8.8.8 >
26: 11:22:33.582428
27: 11:22:33.605834 8.8.8.8 >
27 packets shown
ASA01# show cap asp | include 8.8.8.8
436: 11:26:24.816272 203.170.86.89.80 > 192.168.0.39.51909: . 987837008:987838388(1380) ack 3975248344 win 154
437: 11:26:24.818408 203.170.86.89.80 > 192.168.0.39.51909: . 987838388:987839768(1380) ack 3975248344 win 154
ASA01#
12-09-2013 05:33 PM
Hello Aaron,
As you can see from the ASA perspective we only see Echo requests going out (I see some ICMP echo replies but those are not related to the traceroute being send).
With that in mind what else do you have on the outside world that might be filtering those ICMP time exceeded
Rate all of the helpful posts!!!
Regards,
Jcarvaja
Follow me on http://laguiadelnetworking.com
12-09-2013 05:40 PM
hi Jcarvaja,
There is nothing from a firewall perspective, we have the carriers CPE router and from there it dissapears into the ether. Should I check with the carrier to see if they are filterting these? (they were not in the past AFAIK)
Cheers,
Aaron
12-09-2013 05:42 PM
Yes, please
Let them know you have captures showing packets going out and no packets coming back
Sent from Cisco Technical Support Android App
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide