Hello, for the FWSM there is

jbaraona · ‎04-01-2014

I need to know why traceroute command through Cisco FWSM with dynamic PAT does not work.

I can only make it work with a non-translated IP or with static NAT.

Is this a bug or it just does not work?

Cisco FWSM Firewall Version 4.1(15).

Thanks a lot,

Jose.

Marius Gunnerud · ‎04-02-2014

Not sure what you mean by non translated IP. Do you mean an IP on the same subnet as the PC you are tracing from?

By default traceroute is dropped on the firewall, or more accurately the replies are being dropped. so you would need to add an ACL on the outside interface that allows echo-reply ingress.

--

Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

jbaraona · ‎04-02-2014

Hello Marius, thanks for your response.

By non translated IP I was talking about a no Natted one.

I already tried configuring an ACL allowing time-exceeded, unreachables and also allowing all ICMP but unfortunately that does not solve the problem.

thanks for your help.

Marius Gunnerud · ‎04-02-2014

Could you provide a full running config (sanitised), and a description of which interface the PC you are tracing from is located on. I am assuming that since you mention dynamic PAT that the destination host is located on the internet somewhere?

--

Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

jbaraona · ‎04-04-2014

Hello Marius,

The traceroute not working is from INSIDE to OUTSIDE with dynamic PAT, for instance from 172.16.0.X /24 to 8.8.8.8

If I assign a public IP that is just routed, the traceroute works ok. Also if I configure a static NAT again everything is good. The config is pretty basic.

Here's the config:

:

FWSM Version 4.1(15)
!
hostname XXXX
domain-name XXXX.com
enable password XXXXXX
names
dns-guard
!
interface Vlan101
description OUTSIDE
nameif outside
security-level 0
ip address 10.50.3.49 255.255.255.248
!
interface Vlan102
description INSIDE
nameif inside
security-level 100
ip address 10.50.3.65 255.255.255.248
!
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
!
access-list INSIDE extended permit ip any any
!
access-list OUTSIDE extended permit ip any 200.200.200.0 255.255.255.240
!
logging enable
logging timestamp
logging buffer-size 1000000
logging buffered debugging
logging trap warnings
logging asdm warnings
mtu outside 1500
mtu inside 1500
!
monitor-interface outside
monitor-interface inside
!
icmp permit any outside
icmp permit any inside
no asdm history enable
arp timeout 14400
!
global (outside) 1 200.200.200.1
!
nat (inside) 1 172.16.0.0 255.255.255.0
!
access-group OUTSIDE in interface outside
access-group INSIDE in interface inside
!
route services 172.16.0.0 255.255.255.0 10.50.3.66
route services 200.200.200.0 255.255.255.240 10.50.3.66
!
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 1:00:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-invite 0:03:00 sip-disconnect 0:02:00
timeout pptp-gre 0:02:00
timeout uauth 0:05:00 absolute
!
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication enable console LOCAL
aaa authentication telnet console LOCAL
http server enable
no snmp-server location
no snmp-server contact
service reset no-connection
no service reset connection marked-for-deletion
telnet timeout 5
ssh timeout 5
ssh version 2
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
class-map default
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect skinny
inspect smtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp error
inspect icmp
inspect pptp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:c152d23d422a5b99471378e3eb015fca
: end

Thanks a lot.

Marius Gunnerud · ‎04-05-2014

try adding the following commands and then test:

fixup protocol icmp

fixup protocol icmp error

access-list OUTSIDE extended permit icmp any any echo-reply

access-list OUTSIDE extended permit icmp any any unreachable

access-list OUTSIDE extended permit icmp any any time-exceeded

access-group OUTSIDE in interface outside

Let me know how it goes.

--

Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

jbaraona · ‎04-05-2014

Hello,

If you check the icmp and icmp error inspections are already there. I added the ACLs but didn't fix the problem.

thanks.

Marius Gunnerud · ‎04-06-2014

yes, i keep forgetting the fixup command is replaced.

But it is odd that it is not working. All the correct commands are present to allow the traceroute.

If you do a packet capture on the inside and outside interface for the specific host you are tracing from and to, do you see the icmp requests and replies?

As an extreme, try clearing the xlate table and then test. Clearing the xlate table will cause all active connections to need to be re-established. So best to do this in a service window.

--

Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

Heribert Steuer · ‎10-26-2014

Hallo jbaraona,

did you manage to fix the issue. I have the very same behaviour with an ASA 5510 running 9.1(5).

Thanks,

Heri

jbaraona · ‎10-26-2014

Hello, for the FWSM there is no option, it does not work.

For ASA I think you could try the solution suggested by Marius:

try adding the following commands and then test:

inspect protocol icmp

inspect protocol icmp error

access-list OUTSIDE extended permit icmp any any echo-reply

access-list OUTSIDE extended permit icmp any any unreachable

access-list OUTSIDE extended permit icmp any any time-exceeded

access-group OUTSIDE in interface outside

Aref Alsouqi · ‎10-26-2014

Hi Jbaraona,

Looking at your FWSM I noticed that nat statement for network 10.50.3.64/29 is missed, please try to do this:

nat (inside) 1 10.50.3.64 255.255.255.248

PS: When enabling ICMP inspection, you would not need to enable the return traffic on the outside interface.

Regards,

Aref

austinrdz84 · ‎01-07-2016

Hi Heribert,

Did you ever get fix this issue on your setup?, I'm having the exact same issue on a 5510 running 9.1.5

Marius Gunnerud · ‎04-05-2014

Could you issue the command: show run all | in fixup also which ip are you tracing from? You need both the fixup and ACL config to get trace to work could you also post a fresh config that includes any changes -- Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

jbaraona · ‎04-05-2014

Hello Marcus,

The fixup commands are no longer in use, instead the inspect is configured.

#sh run fixup
INFO: All 'fixup' commands have been converted to 'inspect' commands.
Please use 'show running-config service-policy' in conjunction
with 'show running-config policy-map' to view the new configuration.

The policy-map configuration is as follows:

!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect skinny
inspect smtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect xdmcp
inspect pptp
inspect icmp
inspect icmp error
inspect sip
!

The ACL now looks like this:

access-list OUTSIDE extended permit icmp any any echo-reply

access-list OUTSIDE extended permit icmp any any unreachable

access-list OUTSIDE extended permit icmp any any time-exceeded

access-list OUTSIDE extended permit ip any 200.200.200.0 255.255.255.240

access-group OUTSIDE in interface outside

The IP I'm tracing from is in the range of the 172.16.0.0 /24

Traceroute through FWSM