cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
12000
Views
0
Helpful
1
Comments
Joshua Engels
Level 1
Level 1

Objective:

Allowing Traceroute through ASA Firewall 8.4

Description of problem and background:

ASA Firewall does not show up in Traceroute.  Also certain traceroute programs will not work due to this.

Example of a trace:

C:\>tracert -d 4.2.2.2

Tracing route to 4.2.2.2

over a maximum of 30 hops:

  1    <1 ms    <1 ms    <1 ms  192.168.10.31  <-- Fictitious ip

  2    <1 ms    <1 ms    <1 ms  192.168.1.1    <-- Fictitious ip

  3     *        *        *     Request timed out.

  4     *        *        *     Request timed out.

  5     *        *        *     Request timed out.

  6     *        *        *     Request timed out.

  7     *        *        *     Request timed out.

  8    16 ms    16 ms    16 ms 4.2.2.2

I searched all over for a good document on how to allow traceroute through my firewall and have the firewall show up in the trace.  There is some older documentation out there but it needs to be tweaked slightly for later code.  Also, you may not want to set decrement-ttl for all icmp traffic. 

Here is the link to the documentation for reference: http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml

In my case, I don not want to allow just anyone to run traceroute and see our firewall so I use a class map to only allow management vlan traffic to see firewall.  At one time there was a vulnerability on the PIX 500 when setting this so that is partially why I don't like turning it on for everyone.

My Solution: 

Here are the steps I used to meet my requirements above so that I can see every hop but only from a designated management network:

1. Add the following to your outside-in ACL.  (With this ACL change,  all computers will be able to traceroute however, they will not see the  firewall as a hop because it does not decrement the TTL)

     #access-list OUTSIDE_IN remark Allow ICMP Type 11 for Windows tracert

     #access-list OUTSIDE_IN extended permit icmp any any time-exceeded

2. Identify the type of traffic and it's source using an ACL; in this case, ICMP traffic from the network 192.168.88.0 255.255.255.0

     #access-list TRACE_ROUTE extended permit icmp 192.168.88.0 255.255.255.0 any

3. Classify that traffic using a class-map.

     #class-map ICMP

     ..# match access-list TRACE_ROUTE

4. Add classification to the Global Policy in addition to the "set connection decrement-ttl" command for this traffic.

     #policy-map global_policy

     ..#class ICMP

     ...#set connection decrement-ttl

5. Add the following Command.

     #icmp unreachable rate-limit 10 burst-size 5

Tracerout will now work and for the classified source you will now see the firewall in the trace.

Please rate this post if you find it helpful and also leave your comments if you see any problems or vulnerabilites with the above solution. 

Hope this helps!

Comments
adrianopinaffo1
Level 1
Level 1

Hello,

I know this has been a long time ago, but I'm facing the same issue in the ASA. Weirdly enough, I can reach the destination using traceroute with no problem, but I can't see the path to it. I pasted the result below.

I also checked my ASA configuration and the only setting that is not present is the "match any " for the "class-map class_default", because when I enter "class-map class_default" I get the following warning:


ASA(config)# class-map class-default
ERROR: % class-default is a well-known class and is not configurable under class-map

Can you guys help me? I posted below the tracert output and the concerned configuration. I can't find the misfit and I already checked most of the configuration forums.

C:\>tracert www.google.com

Tracing route to www.google.com [173.194.79.104]
over a maximum of 30 hops:

  1    <1 ms    <1 ms    <1 ms  10.0.0.1
  2     *        *        *     Request timed out.
  3     *        *        *     Request timed out.
  4     *        *        *     Request timed out.
  5     *        *        *     Request timed out.
  6     *        *        *     Request timed out.
  7     *        *        *     Request timed out.
  8     *        *        *     Request timed out.
  9     *        *        *     Request timed out.
 10     *        *        *     Request timed out.
 11     *        *        *     Request timed out.
 12     *        *        *     Request timed out.
 13     *        *        *     Request timed out.
 14     *        *        *     Request timed out.
 15     *        *        *     Request timed out.
 16     *        *        *     Request timed out.
 17     *        *        *     Request timed out.
 18     *        *        *     Request timed out.
 19     *        *        *     Request timed out.
 20     *        *        *     Request timed out.
 21     *        *        *     Request timed out.
 22     *        *        *     Request timed out.
 23   212 ms   212 ms   212 ms  pb-in-f104.1e100.net [173.194.79.104]

Trace complete.

---Router configuration

icmp unreachable rate-limit 10 burst-size 5
!
!
!
object-group service ICMP_Return
 service-object icmp echo-reply
 service-object icmp time-exceeded
 service-object icmp traceroute
 service-object icmp unreachable
 service-object icmp6 echo-reply
 service-object icmp6 time-exceeded
 service-object icmp6 unreachable
!
!
!
access-list IF_outside_access_in remark ICMP Return
access-list IF_outside_access_in extended permit object-group ICMP_Return any any
!
!
!
access-group IF_outside_access_in in interface IF_outside
!
!
!
class-map class_default
!--- This does not exit -> match any 
!
!
class-map inspection_default
 match default-inspection-traffic
!
!
!
policy-map global_policy
 class class-default
  set connection decrement-ttl
service-policy global_policy global

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: