Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

ASA 5525 firewall Trace Route.

Hi,

We are Having  ASA 5525 firewall and Whenever I am performing traceroute passing through the firewall and i am not getting any hop count after firewall( Firewall IP is also not shwoing in Trace Route.

ICMP I had allowed and also configure ICMP in the Policy_Map global Policy.

PLease help me to resolve this issue.

Regards,

Dheeraj


1 ACCEPTED SOLUTION

Accepted Solutions
New Member

ASA 5525 firewall Trace Route.

Hi Dheeraj,

     firewall blocks Traceroute as doesnt decrements the TTL value by default. You would need the following to enable the same:

Make the Firewall Show Up in a Traceroute in ASA/PIX

ciscoasa(config)#class-map class-default
ciscoasa(config)#match any


!--- This class-map exists by default.


ciscoasa(config)#policy-map global_policy


!--- This Policy-map exists by default.


ciscoasa(config-pmap)#class class-default


!--- Add another class-map to this policy.


ciscoasa(config-pmap-c)#set connection decrement-ttl


!--- Decrement the IP TTL field for packets traversing the firewall.
!--- By default, the TTL is not decrement hiding (somewhat) the firewall.


ciscoasa(config-pmap-c)#exit
ciscoasa(config-pmap)#exit
ciscoasa(config)#service-policy global_policy global


!--- This service-policy exists by default.

WARNING: Policy map global_policy is already configured as a service policy

ciscoasa(config)#icmp unreachable rate-limit 10 burst-size 5


!--- Adjust ICMP unreachable replies:
!--- The default is rate-limit 1 burst-size 1.
!--- The default will result in timeouts for the ASA hop:


Cheers,

Naveen

2 REPLIES
New Member

ASA 5525 firewall Trace Route.

Hi Dheeraj,

     firewall blocks Traceroute as doesnt decrements the TTL value by default. You would need the following to enable the same:

Make the Firewall Show Up in a Traceroute in ASA/PIX

ciscoasa(config)#class-map class-default
ciscoasa(config)#match any


!--- This class-map exists by default.


ciscoasa(config)#policy-map global_policy


!--- This Policy-map exists by default.


ciscoasa(config-pmap)#class class-default


!--- Add another class-map to this policy.


ciscoasa(config-pmap-c)#set connection decrement-ttl


!--- Decrement the IP TTL field for packets traversing the firewall.
!--- By default, the TTL is not decrement hiding (somewhat) the firewall.


ciscoasa(config-pmap-c)#exit
ciscoasa(config-pmap)#exit
ciscoasa(config)#service-policy global_policy global


!--- This service-policy exists by default.

WARNING: Policy map global_policy is already configured as a service policy

ciscoasa(config)#icmp unreachable rate-limit 10 burst-size 5


!--- Adjust ICMP unreachable replies:
!--- The default is rate-limit 1 burst-size 1.
!--- The default will result in timeouts for the ASA hop:


Cheers,

Naveen

New Member

ASA 5525 firewall Trace Route.

Hi Naveen,

Problem resolved now.

Thanks for your response.

Regards,

Dheeraj

355
Views
0
Helpful
2
Replies
CreatePlease to create content