Tracert through firewall

whiteford · ‎09-30-2008

Hi,

For me to get the tracert to work through my Cisco ASA and any DMZ/Sub Interfaces i had to create a rule on the inside and other interfaces:

permit icmp any any

Is this a security risk or can I leave these on each interface?

abinjola · ‎09-30-2008

hello Whitford,

remove the ACLs and just add Inspect ICMP and Inspect ICMP error in the global policy global_poplicy

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml

see if it works...

whiteford · ‎09-30-2008

Hello,

i am using the ASDM, but am happy to go into the CLI, which part do I need to add do tracert between interfaces?

Just this?:

policy-map global_policy

class inspection_default

inspect icmp

abinjola · ‎09-30-2008

policy-map global_policy

class inspection_default

inspect icmp

inspect icmp error

Make sure there no ACL on inside interface/higher blocking ICMP

Now try to tracert from higher security/LAN to a device in lower security Zone and it should work

whiteford · ‎09-30-2008

No luck I'm afraid, this is what I already have, but works when I add the permit icmp any any:

policy-map global_policy

class inspection_default

inspect dns migrated_dns_map_1

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect http

inspect ils

inspect pptp

inspect icmp

inspect icmp error

Could it be an ACE? I have the deny any any at the bottom of each ACL for the interface.

Thanks

abinjola · ‎09-30-2008

if you have an ACL on LAN interface/higher security Interface then you must open icmp any any eq echo in it , the return reply will be taken care by Inspect

itdsmartnet · ‎09-30-2008

hi,

in order to get tracert work through ASA do the following.

ciscoasa(config)#class-map class-default

ciscoasa(config)#match any

!--- This class-map exists by default.

ciscoasa(config)#policy-map global_policy

!--- This Policy-map exists by default.

ciscoasa(config-pmap)#class class-default

!--- Add another class-map to this policy.

ciscoasa(config-pmap-c)#set connection decrement-ttl

!--- Decrement the IP TTL field for packets traversing the firewall.

!--- By default, the TTL is not decrement hiding (somewhat) the firewall.

ciscoasa(config-pmap-c)#exit

ciscoasa(config-pmap)#exit

ciscoasa(config)#service-policy global_policy global

!--- This service-policy exists by default.

WARNING: Policy map global_policy is already configured as a service policy

ciscoasa(config)#icmp unreachable rate-limit 10 burst-size 5

!--- Adjust ICMP unreachable replies:

!--- The default is rate-limit 1 burst-size 1.

!--- The default will result in timeouts for the ASA hop:

ciscoasa(config)#access-list outside-in-acl remark Allow ICMP Type 11 for Windows tracert

ciscoasa(config)#access-list outside-in-acl extended permit icmp any any time-exceeded

!--- The access-list is for the far end of the ICMP traffic (in this case

!---the outside interface) needs to be modified in order to allow ICMP type 11 replies

!--- time-exceeded):

ciscoasa(config)#access-group outside-in-acl in interface outside

rate if helpful

Thanks

whiteford · ‎09-30-2008

It seems to work only if I have:

an icmp any any in to my "inside" interface and on my "DMZ" interface. So I need to rules to get it to work, does this sound right to you?

Security levels =

DMZ = 10

Outside = 0

Inside = 100

My policy:

policy-map global_policy

class inspection_default

inspect dns migrated_dns_map_1

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect http

inspect ils

inspect pptp

inspect icmp

inspect icmp error