So,
I've read through netpro and found everyone points to this doc.
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml
However that still doesnt allow traceroute through for us. We still see syslogs with deny's on high level random UDP ports to different Internet destinations.
Can someone look at our config and tell me why this might be happening?
Host 10.10.10.12 (default gateway is the ASA) ---> traceroute to 8.8.8.8
>>>>>Firewall config<<<<<
object-group service TRACEROUTE
service-object icmp unreachable
service-object icmp time-exceeded
service-object icmp echo
service-object icmp echo-reply
service-object icmp traceroute
service-object icmp time-exceeded
access-list Admin_Network-in extended permit object-group TRACEROUTE 10.10.10.0 255.255.255.0 any
access-group Admin_Network-in in interface Admin_Network
class-map IPS
match access-list IPS
class-map CONNS
match any
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 1024
policy-map IPS-Policy
class IPS
ips inline fail-open sensor PreProd_Sensor
set connection timeout dcd
set connection decrement-ttl
class inspection_default
inspect icmp
inspect icmp error
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect dns preset_dns_map
inspect dcerpc
inspect icmp
inspect icmp error
class class-default
set connection decrement-ttl
!
!
service-policy global_policy global
service-policy IPS-Policy interface Admin_Network
>>>>>>SYSLOG output<<<<<
Mar 13, 2013 18:57:57|Deny udp src Admin_Network:10.10.10.12/59937 dst Preprod_F5:8.8.8.8/33450 by access-group "Admin_Network-in" [0x0, 0x0]
Mar 13, 2013 18:57:57|Deny udp src Admin_Network:10.10.10.12/48882 dst Preprod_F5:8.8.8.8/33452 by access-group "Admin_Network-in" [0x0, 0x0]
Mar 13, 2013 18:57:57|Deny udp src Admin_Network:10.10.10.12/58173 dst Preprod_F5:8.8.8.8/33451 by access-group "Admin_Network-in" [0x0, 0x0]
Mar 13, 2013 18:57:57|Deny udp src Admin_Network:10.10.10.12/60679 dst Preprod_F5:8.8.8.8/33455 by access-group "Admin_Network-in" [0x0, 0x0]
Mar 13, 2013 18:57:57|Deny udp src Admin_Network:10.10.10.12/49612 dst Preprod_F5:8.8.8.8/33453 by access-group "Admin_Network-in" [0x0, 0x0]
IOS/ASA use UNIX/Linux traceroute which is UDP-based. Windows uses ICMP based traceroute, so following your config, traceroute from a windows machine should now work through the ASA.
you need the following for icmp traceroute:
icmp unreachable
icmp time-exceeded
icmp echo-reply
echo, echo-reply, inspect icmp are also useful to allow pings...
I think by default, the ASA will not show up in the traceroutes (will not reply as being a hop itself) for that you need a policy-map with action decrement ttl
you should take a look at this technote, it explains it all:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml
Hope that helps,
Patrick
Hello,
Make sure you have this command:
icmp unreachable rate-limit 10 burst-size 5
Can you allow all IP access on the incoming interface for testing?
Also on the outside(looks like Preprod_F5) interface, you need to allow
ICMP replies type time-exceeded
Regards,
Felipe.