ICMP Inspection and Traceroute

wispd · ‎09-14-2009

I'm setting up a ASA5520 (version 8.2(1))and would like to enable Traceroute from the Inside to the Outside. Most articles tell you to use ICMP Inspection instead of ACL's for this. ICMP Inspection appears to only allow replies that are from the destination IP and not the time-exceeded messages from the hops along the way.

ICMP Inspection allows Pings to work fine to the outside but when I try to traceroute, I will only receive the last reply from the destination, and all intermediary hops are timed out.

For example:

C:\Users\Craig>tracert -d 74.125.95.105

Tracing route to 74.125.95.105 over a maximum of 30 hops

1 * * * Request timed out.

2 * * * Request timed out.

3 * * * Request timed out.

4 * * * Request timed out.

5 * * * Request timed out.

6 * * * Request timed out.

7 * * * Request timed out.

8 * * * Request timed out.

9 * * * Request timed out.

10 * * * Request timed out.

11 34 ms 33 ms 33 ms 74.125.95.105

Trace complete.

By enabling ICMP inspection, I can see how many hops away the destination is, but I'd also like to see the addresses of those hops.

I could add an ACL to allow ICMP time-exceeded messages in, but isn't that not recommended? And all these Cisco articles seem to imply that ICMP Inpection should handle traceroute with out ACL's:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml

and

http://supportwiki.cisco.com/wiki/index.php/Unable_to_ping_and_traceroute_through_the_PIX/ASA_Firewall_when_the_device_is_behind_it

So does ICMP inspection do anything but allow pings back? Shouldn't it know the state of a traceroute request and allow time-exceeded message back to the requesting computer?

Thanks!

--Craig

timohamel · ‎09-14-2009

Craig,

Have you enabled ICMP error inspection as well? In order for the ASA to process ICMP error messages, you'll need to enable error inspection with the following command in your policy:

inspect icmp error

See:

http://www.cisco.com/en/US/docs/security/asa/asa71/command/reference/i2_711.html#wp1639456

Regards,

Tim

Kureli Sankar · ‎09-14-2009

In addition to icmp and icmp error inspections, icmp time-exceeded needs to be allowed via access-list as well.

wispd · ‎09-15-2009

Turning on ICMP Error inspection didn't work (I think that is for inbound traceroute and I want outbound) and I was trying to be more secure by avoiding ICMP access-lists and hoping that ICMP Ispection would do that for me.

Is ICMP inspection only useful for echo-replies?

It appears ICMP inspection only allows ICMP replies from the destination computer. Which means it is useless for ICMP Time Exceeded and and Destination Unreachable messages since those messages can come from a intermediate hop. They have to be allowed via an access list to allow traceroute replies and PMTU Discovery messages.

I guess ICMP may work for Source Quench since those replies would come from the source.

Kureli Sankar · ‎09-15-2009

I tested it before I wrote yesterday. I only had to add inspect icmp and inspect icmp error and allow time-exceeded to come back (for outbound trace route)

you are right icmp inspection is only allow one response to come back.

The ICMP inspection engine ensures that there is only one response for each request, and that the sequence number is correct.

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/i2.html#wp1726194

inspect icmp error command creates xlates for intermediate hops that send ICMP error messages, based on the static/NAT configuration. By default, the security appliance hides the IP addresses of intermediate hops.

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/i2.html#wp1726194