ASA Firewall does not show up in Traceroute. Also certain traceroute programs will not work due to this.
Example of a trace:
C:\>tracert -d 18.104.22.168
Tracing route to 22.214.171.124
over a maximum of 30 hops:
1 <1 ms <1 ms <1 ms 192.168.10.31 <-- Fictitious ip
2 <1 ms <1 ms <1 ms 192.168.1.1 <-- Fictitious ip
3 * * * Request timed out.
4 * * * Request timed out.
5 * * * Request timed out.
6 * * * Request timed out.
7 * * * Request timed out.
8 16 ms 16 ms 16 ms 126.96.36.199
I searched all over for a good document on how to allow traceroute through my firewall and have the firewall show up in the trace. There is some older documentation out there but it needs to be tweaked slightly for later code. Also, you may not want to set decrement-ttl for all icmp traffic.
In my case, I don not want to allow just anyone to run traceroute and see our firewall so I use a class map to only allow management vlan traffic to see firewall. At one time there was a vulnerability on the PIX 500 when setting this so that is partially why I don't like turning it on for everyone.
Here are the steps I used to meet my requirements above so that I can see every hop but only from a designated management network:
1. Add the following to your outside-in ACL. (With this ACL change, all computers will be able to traceroute however, they will not see the firewall as a hop because it does not decrement the TTL)
#access-list OUTSIDE_IN remark Allow ICMP Type 11 for Windows tracert
#access-list OUTSIDE_IN extended permit icmp any any time-exceeded
2. Identify the type of traffic and it's source using an ACL; in this case, ICMP traffic from the network 192.168.88.0 255.255.255.0
#access-list TRACE_ROUTE extended permit icmp 192.168.88.0 255.255.255.0 any
3. Classify that traffic using a class-map.
..# match access-list TRACE_ROUTE
4. Add classification to the Global Policy in addition to the "set connection decrement-ttl" command for this traffic.
...#set connection decrement-ttl
5. Add the following Command.
#icmp unreachable rate-limit 10 burst-size 5
Tracerout will now work and for the classified source you will now see the firewall in the trace.
Please rate this post if you find it helpful and also leave your comments if you see any problems or vulnerabilites with the above solution.
My customer, head of security, wants to ensure the newsletter she is receiving from Cisco/Talos is not some marketing scam. She questioned the sender: Cisco <email@example.com> and wants to validate it's authenticity as it is being sent to...
Hi Cisco Community, I've developed a small web app that provides the UCP portal feature to an ISE deployment.You can download it on https://github.com/luchthrash/ISE-UCPIf you need assistance or implementation of other features like integration with ...
Hello! Friends! I need your advice. I do not have ideas. May be you can help me.So a have two offices (office 1 and office 2), for it connecting i used cisco asa 5510 and VPN between it. (site2site)office 1 - 192.168.101.0/24 office 2 - 192.168.104.0/24Co...
Hi, I tried to configure ECMP with traffic Zones on my ASA 5516-x through FMC's FlexConfig, and it seems not working. I finally did it: At first, I have created a Flex object (In FMC: Objects - Object Management - FlexConfig - F...
Hi all, Trying to set up FlexVPN on an ISR4431 and i've currently got it showing as not secure if i go to the web page of the router as it shows there's no HTTPS and that the certificate is invalid (this is in chrome) but if i go into the certificate it l...