07-23-2014 05:06 AM - edited 03-11-2019 09:31 PM
Hi
We have a ASA5545 with IOS 9.1(1) we are unable to do Traceroute to any public IP's from the inside host
raghu@mon:~$ traceroute 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
1 sw1-core-107 (10.10.4.2) 0.425 ms 0.439 ms 0.496 ms
2 * * *
3 * * *
4 * * *
5 * * *
6 * * *
7 * * *
We had a below config on ASA
object-group icmp-type icmp-allowed
icmp-object echo-reply
icmp-object unreachable
icmp-object echo
icmp-object time-exceeded
icmp-object traceroute
access-list outside_in extended permit icmp any any object-group icmp-allowed
access-list inside_in extended permit icmp any any object-group icmp-allowed
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
service-policy global_policy global
Do i need to add any other ACL to allow Traceroute Please help
07-23-2014 05:19 AM
Hi,
I am not running the mentioned software on my home ASA so can't test this exact situation at the moment.
You could however try adding the following configuration and testing again (the 2 first lines are just used to move into the correct configuration mode/section)
policy-map global_policy
class inspection_default
inspect icmp error
This should help with the replys getting through your firewall that are coming from the devices between your firewall and the actual destination host.
Hope this helps :)
- Jouni
07-23-2014 09:55 AM
HI
I try by adding the above configuration but still i'm not able to traceroute to any IP Or public sites
raghu@mon:~$ traceroute 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
1 sw1-core-107 (10.10.4.2) 0.567 ms 0.517 ms 0.460 ms
2 * * *
3 * * *
4 * * *
5 * * *
6 * * *
raghu@mon:~$ traceroute google.com
traceroute to google.com (74.125.196.139), 30 hops max, 60 byte packets
1 sw1-core-107 (10.10.4.2) 0.841 ms 0.802 ms 0.801 ms
2 * * *
3 * * *
4 * * *
5 * * *
6 * * *
7 * * *
i can able to ping any of the Public sites & IP's but i can't do Traceroute from the Inside (Private) network
07-23-2014 10:02 AM
Hi,
Have you confirmed that no other device between the host and the firewall is not blocking this traffic?
Are you able to traceroute from the ASA CLI to the mentioned IP addresses?
- Jouni
07-23-2014 10:11 AM
hi
yes i can able to do traceroute to the IP's from the ASA
07-23-2014 12:37 PM
Hi,
Have you confirmed the other thing? I mean have you checked the network devices leading from the host to the ASA for any interface ACLs that could block/prevent the ICMP messages from reaching the host?
You also have the possibility to configure a traffic capture on the ASAs external and/or internal interface to capture the ICMP traffic and confirm exactly where the ICMP traffic stops.
- Jouni
07-24-2014 12:08 AM
Hi
please find the below ACL which i added to allow the Traceroute & icmp,
i can able to do ping to any of the public IP & sites from the inside hosts so icmp is allowed only i can't do the traceroute from the inside hosts,
fw-act# sh run | grep icmp
object-group icmp-type icmp-allowed
icmp-object echo-reply
icmp-object unreachable
icmp-object echo
icmp-object time-exceeded
icmp-object traceroute
access-list outside_in extended permit icmp any any object-group icmp-allowed
access-list inside_in extended permit icmp any any object-group icmp-allowed
icmp unreachable rate-limit 10 burst-size 5
icmp permit any outside
icmp permit any inside
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
inspect icmp
inspect icmp error
access-group outside_in in interface outside
access-group inside_in in interface inside
07-24-2014 12:14 AM
Hi,
Yes, but I am asking if there is another device in the LAN network that might prevent this ICMP return traffic that is generated by the devices in between your LAN host and the external server you are tracing?
Normal ICMP tends to work better because it involves only your LAN host and the destination server. The Traceroute involved your LAN host and all the router hops between it and the destination server.
Have you monitored the logs on the ASA while doing the traceroute to confirm if anything is blocked on the firewall related to it? You can open the ASDM and open the Monitor/Logging section and look for any denied traffic on the external interface when doing the trace.
But I would still suggest checking the network devices on your LAN so see if there is no interface ACLs there that might block the traffic.
- Jouni
07-24-2014 12:19 AM
hi
This host is connected to the L2 Switch which connect to Core switch3560 which connect to ASA, we not defined any ACL's on the Core switch
07-24-2014 12:49 AM
find the debug
ICMP echo request from inside:10.10.4.101 to outside:8.8.8.8 ID=18932 seq=0 len=68
ICMP echo request translating inside:10.10.4.101 to outside:173.140.15.83
ICMP echo reply from outside:8.8.8.8 to inside:173.140.15.83 ID=18932 seq=0 len=64
ICMP echo reply untranslating outside:173.140.15.83 to inside:10.10.4.101
07-24-2014 01:19 AM
Hi,
That to me seems like a simple ICMP Echo from the host to the server and a reply directly from the server to the host.
In a traceroute I would imagine I should be seeing the different IP addresses (from the internet routers in between) replying to the host with "Time to live exceeded in transit"
You can for example use Wireshark on your host to capture all traffic sent by it and that arrives to it and check if any devices in between are replying to the ICMP messages sent.
I guess you would also check your external ACL and see if there are any hitcounts on it (time-exceeded). Can you show us the output of
show access-list outside_in
- Jouni
07-24-2014 01:52 AM
fw-act# show access-list outside_in
access-list outside_in; 12 elements; name hash: 0xc5896c24
access-list outside_in line 1 extended permit icmp any any object-group icmp-allowed (hitcnt=221179) 0x4f3485dd
access-list outside_in line 1 extended permit icmp any any echo-reply (hitcnt=221179) 0x46105ee8
access-list outside_in line 1 extended permit icmp any any unreachable (hitcnt=113064) 0x1c800641
access-list outside_in line 1 extended permit icmp any any echo (hitcnt=0) 0x80a148e1
access-list outside_in line 1 extended permit icmp any any time-exceeded (hitcnt=33942) 0x2df45441
access-list outside_in line 1 extended permit icmp any any traceroute (hitcnt=0) 0x77380270
access-list outside_in line 2 extended deny ip 127.0.0.0 255.0.0.0 any (hitcnt=0) 0x9645c259
access-list outside_in line 3 extended deny ip 192.0.0.0 255.255.255.0 any (hitcnt=0) 0xc9bbc42a
access-list outside_in line 4 extended deny ip 224.0.0.0 224.0.0.0 any (hitcnt=0) 0x4e1166f8
access-list outside_in line 5 extended deny ip 10.0.0.0 255.0.0.0 any (hitcnt=0) 0xd5a73d29
access-list outside_in line 6 extended deny ip 172.16.0.0 255.240.0.0 any (hitcnt=0) 0x381828f9
access-list outside_in line 7 extended deny ip 192.168.0.0 255.255.0.0 any (hitcnt=0) 0x96dc063f
access-list outside_in line 8 extended deny ip host 0.0.0.0 any (hitcnt=0) 0x5b0456ed
07-24-2014 02:05 AM
Hi,
Seems like there are hitcounts on the "time-exceeded" rule.
Can you try doing the traceroute from your L3 switch?
- Jouni
07-24-2014 02:40 AM
sw1-core-107#trace 8.8.8.8
Type escape sequence to abort.
Tracing the route to 8.8.8.8
1 * * *
2 * * *
3 * * *
4 * * *
5 * * *
6 * * *
7 * * *
8 * * *
9 * * *
Trace route to ASA Inside Interface IP
sw1-core-107#traceroute 172.31.3.4
Type escape sequence to abort.
Tracing the route to 172.31.3.4
1 * * *
2 * * *
3 * * *
4 * * *
5 * * *
i can't even do traceroute to ASA Inside interface IP
But i can able to ping
sw1-core-107#ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/20/24 ms
sw1-core-107#ping 172.31.3.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.31.3.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
07-24-2014 09:11 PM
HI
can any one help me regarding this issue
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide