Objective:
Allowing Traceroute through ASA Firewall 8.4
Description of problem and background:
ASA Firewall does not show up in Traceroute. Also certain traceroute programs will not work due to this.
Example of a trace:
C:\>tracert -d 4.2.2.2
Tracing route to 4.2.2.2
over a maximum of 30 hops:
1 <1 ms <1 ms <1 ms 192.168.10.31 <-- Fictitious ip
2 <1 ms <1 ms <1 ms 192.168.1.1 <-- Fictitious ip
3 * * * Request timed out.
4 * * * Request timed out.
5 * * * Request timed out.
6 * * * Request timed out.
7 * * * Request timed out.
8 16 ms 16 ms 16 ms 4.2.2.2
I searched all over for a good document on how to allow traceroute through my firewall and have the firewall show up in the trace. There is some older documentation out there but it needs to be tweaked slightly for later code. Also, you may not want to set decrement-ttl for all icmp traffic.
Here is the link to the documentation for reference: http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml
In my case, I don not want to allow just anyone to run traceroute and see our firewall so I use a class map to only allow management vlan traffic to see firewall. At one time there was a vulnerability on the PIX 500 when setting this so that is partially why I don't like turning it on for everyone.
My Solution:
Here are the steps I used to meet my requirements above so that I can see every hop but only from a designated management network:
1. Add the following to your outside-in ACL. (With this ACL change, all computers will be able to traceroute however, they will not see the firewall as a hop because it does not decrement the TTL)
#access-list OUTSIDE_IN remark Allow ICMP Type 11 for Windows tracert
#access-list OUTSIDE_IN extended permit icmp any any time-exceeded
2. Identify the type of traffic and it's source using an ACL; in this case, ICMP traffic from the network 192.168.88.0 255.255.255.0
#access-list TRACE_ROUTE extended permit icmp 192.168.88.0 255.255.255.0 any
3. Classify that traffic using a class-map.
#class-map ICMP
..# match access-list TRACE_ROUTE
4. Add classification to the Global Policy in addition to the "set connection decrement-ttl" command for this traffic.
#policy-map global_policy
..#class ICMP
...#set connection decrement-ttl
5. Add the following Command.
#icmp unreachable rate-limit 10 burst-size 5
Tracerout will now work and for the classified source you will now see the firewall in the trace.
Please rate this post if you find it helpful and also leave your comments if you see any problems or vulnerabilites with the above solution.
Hope this helps!