Hi

a) My query is as to why according to the below link the access-lists are configured when the heading of the topic says

Configure the PIX/ASA to show its internal network from the outside network:

Please read the below document

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml

If it just combines the traffic for both inbound and outbound traceroute  , i agree ; however do we need ACLs for Inbound traceroute or not is the actual QUESTION over here . I agree with the Static part . Also do we need "inspect icmp " over here or not ?

b) My 2nd question remains unanswered

I don't agree with that document in that part:
Configure the PIX/ASA to show its internal network from the outside network
If you enter the configuration:

ciscoasa#config t
ciscoasa(config)#access-list internal-out permit icmp any any echo-reply
ciscoasa(config)#access-list internal-out permit icmp any any time-exceeded
ciscoasa(config)#access-list internal-out permit icmp any any unreachable
ciscoasa(config)#policy-map global_policy
ciscoasa(config-pmap)#class inspection_default
ciscoasa(config-pmap-c)#
inspect icmp

ciscoasa(config-pmap-c)#
inspect icmp error

ciscoasa(config-pmap-c)#end
ciscoasa(config)#service-policy global_policy global
ciscoasa(config)#access-group internal-out in interface outside

The only inbound traffic that you're allowing is the traffic specified in the ACL.
When you inspect ICMP, the ICMP replies to queries from the INSIDE are allowed too.
The service policy is applied globally on the ASA as well as the inbound ACL.

So, I agree with you that the above configuration does not allow the PIX/ASA to show its internal network from outside.

For outbound traceroute, I believe you should only allow the ''inspect icmp''
The ''inspect icmp error'' is if you want to enable NAT on ICMP error messages.

Federico.

Hi

For the Outbound traceroute we definitely require time-exceeded ACLs as well , otherwise the reply packet for traceroute wont be allowed in . Also as per the thread ,  https://supportforums.cisco.com/thread/228370 "inspect icmp error " also needs to be permitted . Please explain as to how the translation will work over here when packet is traversing from Inside to Outside . Also is there any requirement of "inspect icmp " if inbound traceroute is performed ?

I really appreciate clarity on these points

kusankar / halijenn , I would really like to know your comment on this as well .

You have the concept wrong.

You're saying you have an ASA, and you're saying that you definitely need an ACL to permit the outbound traffic? This is incorrect.

I will try to explain again...

In the ASA, you don't need an ASA to allow outbound traffic (hope I am making this clear).

In case that you already have an ACL applied to the INSIDE interface, in that case the ACL must specify all the traffic that you're permitting (everything else will be denied).

From inside to outside the translation works depending if you have dynamic NAT/PAT, static NAT, policy NAT, NAT excemption, etc.

Traffic can also flow without translation if nat-control is disabled.

If you want you can post the relevant part of your configuration with exactly what you want to accomplish, so anybody here can help you out.

Federico.

Hi halijenn,

Thanks for the reply , my first question is answered ; however in the second question i want to ask 2 things as mentioned below :

a) The access-list for time-exceeded applied on the Outside Interface of firewall will allow the error messages (from the intermediate hops ) IN back to the firewall ; however "inspect icmp error " over here will see that the reply ICMP messages are coming from a totally different IP address than the destination IP which was in initial traceroute destination and will allow those packets .If the " inspect icmp error " command would NOT have been specified , the packets would have been denied [inspite of the time-exceeded ACL on Outside interface] by ASA as intermediate hop replying would not have matched  the existing session . Please let me know if my understanding of "inspect icmp error " is correct

b) I have gone through the link below ; however i have not understood as to how and which IP will be translated during the Outbound Traceroute while "inspect icmp error " is there ?

For Inbound traceroute i have understood that any hops between the Inside interface of ASA and actual internal Destination (Statically NATTED) will be shown in the traceroute Output based on the Static NAT in ASA as well as in Traceroute Output , the IP Address of those hops will be seen as the Static IP of the inside server 

Hence request you to please explain the packet flow of Outbound Traceroute.

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/i2.html#wp1726194

a) "inspect icmp error" is to create xlates for all the intermediate hops. Yes, you are right, eventhough you have the ACL to permit the time-exceeded icmp, but if you don't have the "inspect icmp error", the traceroute for all the intermediate hops will not show. The "inspect" is to create the xlate, while the ACL is to permit the time-exceeded icmp packet back.

b) For outbound traceroute, the intermediate hops would be from the firewall outside until the end host (destination host). The same xlates need to be created for the replies to get back to the internal host. Hence "inspect icmp error" is required. Each hop from the firewall outside until the end host will form a different session.

Yes, you are absolutely correct.

It will allow the icmp session back in depending on which icmp messages respond from each hops (from xlate/session point of view).

You are welcome, and thanks for the rating.