cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4584
Views
0
Helpful
13
Replies

Traceroute through FWSM

jbaraona
Level 1
Level 1

 

I need to know why traceroute command through Cisco FWSM with dynamic PAT does not work.

I can only make it work with a non-translated IP or with static NAT.

Is this a bug or it just does not work?

 

Cisco FWSM Firewall Version 4.1(15).

 

Thanks a lot,

Jose.

13 Replies 13

Not sure what you mean by non translated IP. Do you mean an IP on the same subnet as the PC you are tracing from?

By default traceroute is dropped on the firewall, or more accurately the replies are being dropped.  so you would need to add an ACL on the outside interface that allows echo-reply ingress.

 

--

Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

Hello Marius, thanks for your response.

By non translated IP I was talking about a no Natted one.

I already tried configuring an ACL allowing time-exceeded, unreachables and also allowing all ICMP but unfortunately that does not solve the problem.

thanks for your help.

Could you provide a full running config (sanitised), and a description of which interface the PC you are tracing from is located on. I am assuming that since you mention dynamic PAT that the destination host is located on the internet somewhere?

--

Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

Hello Marius,

The traceroute not working is from INSIDE to OUTSIDE with dynamic PAT, for instance from 172.16.0.X /24 to 8.8.8.8

If I assign a public IP that is just routed, the traceroute works ok. Also if I configure a static NAT again everything is good. The config is pretty basic.

Here's the config:

:

FWSM Version 4.1(15) 
!
hostname XXXX
domain-name XXXX.com
enable password XXXXXX
names
dns-guard
!
interface Vlan101
 description OUTSIDE
 nameif outside
 security-level 0
 ip address 10.50.3.49 255.255.255.248
!
interface Vlan102
 description INSIDE
 nameif inside
 security-level 100
 ip address 10.50.3.65 255.255.255.248 
!
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
!
access-list INSIDE extended permit ip any any
!
access-list OUTSIDE extended permit ip any 200.200.200.0 255.255.255.240 
!
logging enable
logging timestamp
logging buffer-size 1000000
logging buffered debugging
logging trap warnings
logging asdm warnings
mtu outside 1500
mtu inside 1500
!
monitor-interface outside
monitor-interface inside
!
icmp permit any outside
icmp permit any inside
no asdm history enable
arp timeout 14400
!
global (outside) 1 200.200.200.1
!
nat (inside) 1 172.16.0.0 255.255.255.0
!
access-group OUTSIDE in interface outside
access-group INSIDE in interface inside
!
route services 172.16.0.0 255.255.255.0 10.50.3.66
route services 200.200.200.0 255.255.255.240 10.50.3.66
!
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 1:00:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-invite 0:03:00 sip-disconnect 0:02:00
timeout pptp-gre 0:02:00
timeout uauth 0:05:00 absolute
!
aaa authentication ssh console LOCAL 
aaa authentication http console LOCAL 
aaa authentication enable console LOCAL 
aaa authentication telnet console LOCAL 
http server enable
no snmp-server location
no snmp-server contact
service reset no-connection
no service reset connection marked-for-deletion
telnet timeout 5
ssh timeout 5
ssh version 2
console timeout 0
!
class-map inspection_default
 match default-inspection-traffic
class-map default
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect netbios 
  inspect rsh 
  inspect skinny 
  inspect smtp 
  inspect sqlnet 
  inspect sunrpc 
  inspect tftp 
  inspect sip 
  inspect xdmcp 
  inspect icmp error 
  inspect icmp 
  inspect pptp 
!
service-policy global_policy global
prompt hostname context 
Cryptochecksum:c152d23d422a5b99471378e3eb015fca
: end

Thanks a lot.

try adding the following commands and then test:

fixup protocol icmp

fixup protocol icmp error

access-list OUTSIDE extended permit icmp any any echo-reply

access-list OUTSIDE extended permit icmp any any unreachable

access-list OUTSIDE extended permit icmp any any time-exceeded

access-group OUTSIDE in interface outside

 

Let me know how it goes.

--

Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

Hello,

If you check the icmp and icmp error inspections are already there. I added the ACLs but didn't fix the problem.

thanks.

yes, i keep forgetting the fixup command is replaced.

But it is odd that it is not working. All the correct commands are present to allow the traceroute.

If you do a packet capture on the inside and outside interface for the specific host you are tracing from and to, do you see the icmp requests and replies?

As an extreme, try clearing the xlate table and then test.  Clearing the xlate table will cause all active connections to need to be re-established.  So best to do this in a service window.

--

Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

Hallo jbaraona,

 

did you manage to fix the issue. I have the very same behaviour with an ASA 5510 running 9.1(5).

 

Thanks,

Heri

Hello, for the FWSM there is no option, it does not work.

For ASA I think you could try the solution suggested by Marius:

try adding the following commands and then test:

inspect protocol icmp

inspect protocol icmp error

access-list OUTSIDE extended permit icmp any any echo-reply

access-list OUTSIDE extended permit icmp any any unreachable

access-list OUTSIDE extended permit icmp any any time-exceeded

access-group OUTSIDE in interface outside

 

Hi Jbaraona,

 

Looking at your FWSM I noticed that nat statement for network 10.50.3.64/29 is missed, please try to do this:

 

nat (inside) 1 10.50.3.64 255.255.255.248

 

PS: When enabling ICMP inspection, you would not need to enable the return traffic on the outside interface.

 

 

Regards,

Aref

Hi Heribert, 

Did you ever get fix this issue on your setup?,  I'm having the exact same issue on a 5510 running 9.1.5

Could you issue the command: show run all | in fixup also which ip are you tracing from? You need both the fixup and ACL config to get trace to work could you also post a fresh config that includes any changes -- Please remember to rate and select a correct answer
--
Please remember to select a correct answer and rate helpful posts

Hello Marcus,

The fixup commands are no longer in use, instead the inspect is configured.

#sh run fixup 
INFO: All 'fixup' commands have been converted to 'inspect' commands.
Please use 'show running-config service-policy' in conjunction
with 'show running-config policy-map' to view the new configuration.

The policy-map configuration is as follows:

!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect netbios 
  inspect rsh 
  inspect skinny 
  inspect smtp 
  inspect sqlnet 
  inspect sunrpc 
  inspect tftp 
  inspect xdmcp 
  inspect pptp 
  inspect icmp 
  inspect icmp error 
  inspect sip 
!

The ACL now looks like this:

access-list OUTSIDE extended permit icmp any any echo-reply

access-list OUTSIDE extended permit icmp any any unreachable

access-list OUTSIDE extended permit icmp any any time-exceeded

access-list OUTSIDE extended permit ip any 200.200.200.0 255.255.255.240 

access-group OUTSIDE in interface outside

The IP I'm tracing from is in the range of the 172.16.0.0 /24

Review Cisco Networking for a $25 gift card