cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

865
Views
0
Helpful
2
Replies
Highlighted
Beginner

Unable to traceroute through ASA5585-x 8.4.4(9)

So,

  I've read through netpro and found everyone points to this doc. 

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml

However that still doesnt allow traceroute through for us.  We still see syslogs with deny's on high level random UDP ports to different Internet destinations. 

Can someone look at our config and tell me why this might be happening? 

Host 10.10.10.12 (default gateway is the ASA) ---> traceroute to 8.8.8.8

>>>>>Firewall config<<<<<

object-group service TRACEROUTE

service-object icmp unreachable

service-object icmp time-exceeded

service-object icmp echo

service-object icmp echo-reply

service-object icmp traceroute

service-object icmp time-exceeded

access-list Admin_Network-in extended permit object-group TRACEROUTE 10.10.10.0 255.255.255.0 any

access-group Admin_Network-in in interface Admin_Network

class-map IPS

match access-list IPS

class-map CONNS

match any

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 1024

policy-map IPS-Policy

class IPS

  ips inline fail-open sensor PreProd_Sensor

  set connection timeout dcd

  set connection decrement-ttl

class inspection_default

  inspect icmp

  inspect icmp error

policy-map global_policy

class inspection_default

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect ip-options

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny 

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip 

  inspect xdmcp

  inspect dns preset_dns_map

  inspect dcerpc

  inspect icmp

  inspect icmp error

class class-default

  set connection decrement-ttl

!

!

service-policy global_policy global

service-policy IPS-Policy interface Admin_Network

>>>>>>SYSLOG output<<<<<

Mar 13, 2013 18:57:57|Deny udp src Admin_Network:10.10.10.12/59937 dst Preprod_F5:8.8.8.8/33450 by access-group "Admin_Network-in" [0x0, 0x0]

Mar 13, 2013 18:57:57|Deny udp src Admin_Network:10.10.10.12/48882 dst Preprod_F5:8.8.8.8/33452 by access-group "Admin_Network-in" [0x0, 0x0]

Mar 13, 2013 18:57:57|Deny udp src Admin_Network:10.10.10.12/58173 dst Preprod_F5:8.8.8.8/33451 by access-group "Admin_Network-in" [0x0, 0x0]

Mar 13, 2013 18:57:57|Deny udp src Admin_Network:10.10.10.12/60679 dst Preprod_F5:8.8.8.8/33455 by access-group "Admin_Network-in" [0x0, 0x0]

Mar 13, 2013 18:57:57|Deny udp src Admin_Network:10.10.10.12/49612 dst Preprod_F5:8.8.8.8/33453 by access-group "Admin_Network-in" [0x0, 0x0]

2 REPLIES 2
Highlighted
Enthusiast

IOS/ASA use UNIX/Linux traceroute which is UDP-based. Windows uses ICMP based traceroute, so following your config, traceroute from a windows machine should now work through the ASA.

you need the following for icmp traceroute:

icmp unreachable

icmp time-exceeded

icmp echo-reply

echo, echo-reply, inspect icmp are also useful to allow pings...

I think by default, the ASA will not show up in the traceroutes (will not reply as being a hop itself) for that you need a policy-map with action decrement ttl

you should take a look at this technote, it explains it all:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml

Hope that helps,

Patrick

Highlighted
Participant

Hello,

Make sure you have this command:

icmp unreachable rate-limit 10 burst-size 5

Can you allow all IP access on the incoming interface for testing?

Also on the outside(looks like Preprod_F5) interface, you need to allow

ICMP replies type time-exceeded

Regards,

Felipe.

Content for Community-Ad