Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
2043
Views
0
Helpful
3
Replies

Traceroute, tracert, mtr and the Firepower.

Stephen Carville
Level 1
Level 1

‎03-13-2018 10:41 AM - edited ‎02-21-2020 07:30 AM

I have a new set of Firepower 2130 appliances and a Management Center 1000. One of the differences between the 5525x and the Firepower is that some users can run traceroute, tracert or mtr and get useful information. Other users cannot get past their gateway. This worked correctly on the ASA 5525x but when the consultant did the conversion to the Firepower rules some weird stuff happened.

 

Where is traceroute, etal set up? I know the process uses ICMP and/or UDP but just allowing those outbound has not cured the problem. Is there some inspection rule I need to create?

1 person had this problem
Labels:
0 Helpful
3 Replies 3

Florin Barhala
Level 6
Level 6

‎03-14-2018 05:00 AM

I am also interested in this as we might migrate this year.

Meantime can you share your current traceroute "config ". I am having some issues to make it work on my current ASAs.

0 Helpful

Stephen Carville
Level 1
Level 1
In response to Florin Barhala

‎03-14-2018 09:00 AM - edited ‎03-14-2018 09:02 AM

@Florin Barhala wrote:

I am also interested in this as we might migrate this year.

 

I've only had it a few days but, so far, I am unimpressed.  Even a simple change like blacklisting the IP of a CNC server requires redeploying the entire policy.  That takes five to ten minutes.  Don't get me started on the HTML 5 interface.

What was Cisco thinking?

 

Meantime can you share your current traceroute "config ". I am having some issues to make it work on my current ASAs.

As I recall, on the ASA  I first had to create an object list for the icmp types I wanted to accept from outside:

object-group icmp-type icmp_permit
 description icmp types allowed
 icmp-object echo-reply
 icmp-object source-quench
 icmp-object time-exceeded
 icmp-object traceroute
 icmp-object unreachable

Then on the outside interface acl I added:

  permit icmp any any object-group icmp_permit

Finally, the global policy map had to be made aware of icmp

policy-map global_policy
 class inspection_default
  <buncha stuff>
  inspect icmp
  inspect icmp error

0 Helpful

Florin Barhala
Level 6
Level 6
In response to Stephen Carville

‎03-15-2018 12:18 AM

This is not good news (about FTD I mean).
As for my trace issue, I cannot trace from ASA itself specifying the source interface.
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card
Top