cancel
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
765
Views
0
Helpful
2
Replies

ASA 5525 firewall Trace Route.

dheeraj_singh
Level 1
Level 1

Hi,

We are Having  ASA 5525 firewall and Whenever I am performing traceroute passing through the firewall and i am not getting any hop count after firewall( Firewall IP is also not shwoing in Trace Route.

ICMP I had allowed and also configure ICMP in the Policy_Map global Policy.

PLease help me to resolve this issue.

Regards,

Dheeraj


1 Accepted Solution

Accepted Solutions

narawat
Level 1
Level 1

Hi Dheeraj,

     firewall blocks Traceroute as doesnt decrements the TTL value by default. You would need the following to enable the same:

Make the Firewall Show Up in a Traceroute in ASA/PIX

ciscoasa(config)#class-map class-default
ciscoasa(config)#match any


!--- This class-map exists by default.


ciscoasa(config)#policy-map global_policy


!--- This Policy-map exists by default.


ciscoasa(config-pmap)#class class-default


!--- Add another class-map to this policy.


ciscoasa(config-pmap-c)#set connection decrement-ttl


!--- Decrement the IP TTL field for packets traversing the firewall.
!--- By default, the TTL is not decrement hiding (somewhat) the firewall.


ciscoasa(config-pmap-c)#exit
ciscoasa(config-pmap)#exit
ciscoasa(config)#service-policy global_policy global


!--- This service-policy exists by default.

WARNING: Policy map global_policy is already configured as a service policy

ciscoasa(config)#icmp unreachable rate-limit 10 burst-size 5


!--- Adjust ICMP unreachable replies:
!--- The default is rate-limit 1 burst-size 1.
!--- The default will result in timeouts for the ASA hop:


Cheers,

Naveen

View solution in original post

2 Replies 2

narawat
Level 1
Level 1

Hi Dheeraj,

     firewall blocks Traceroute as doesnt decrements the TTL value by default. You would need the following to enable the same:

Make the Firewall Show Up in a Traceroute in ASA/PIX

ciscoasa(config)#class-map class-default
ciscoasa(config)#match any


!--- This class-map exists by default.


ciscoasa(config)#policy-map global_policy


!--- This Policy-map exists by default.


ciscoasa(config-pmap)#class class-default


!--- Add another class-map to this policy.


ciscoasa(config-pmap-c)#set connection decrement-ttl


!--- Decrement the IP TTL field for packets traversing the firewall.
!--- By default, the TTL is not decrement hiding (somewhat) the firewall.


ciscoasa(config-pmap-c)#exit
ciscoasa(config-pmap)#exit
ciscoasa(config)#service-policy global_policy global


!--- This service-policy exists by default.

WARNING: Policy map global_policy is already configured as a service policy

ciscoasa(config)#icmp unreachable rate-limit 10 burst-size 5


!--- Adjust ICMP unreachable replies:
!--- The default is rate-limit 1 burst-size 1.
!--- The default will result in timeouts for the ASA hop:


Cheers,

Naveen

Hi Naveen,

Problem resolved now.

Thanks for your response.

Regards,

Dheeraj

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: