10-22-2013 12:30 AM - edited 03-11-2019 07:54 PM
Hello,
We have a number of networks that go though our ASA, but we have never been able to run a traceroute even though we have ICMP any any running on each inerface. When we try a tracert from a Windows PC to a remote destination like google it works, but if we try a trace through one of the subinterfaces off the ASA (DMZ) it doesn't work.
For example I try and trace a router on our WAN and it goes to our LAN switch which then forwards to the ASA and then it his a wall:
C:\Users\me>tracert 172.30.2.1 (remote WAN router)
Tracing route to 172.30.2.1 over a maximum of 30 hop
1 <1 ms <1 ms <1 ms 192.168.90.254 (my gateway, whichis our core LAN switch)
2 * * * Request timed out.
I've never been able to solve this, any ideas?
Thanks
10-22-2013 12:35 AM
Hi,
Check the output of the following command on your ASA
show run policy-map
If its not present, add (if you are using the default configurations)
policy-map global_policy
class inspection_default
inspect icmp
inspect icmp error
You can also check this document to help with ICMP related configurations
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml
Hope this helps
- Jouni
10-22-2013 12:44 AM
Hi,
Thanks for the instant reply wow!
This is what I have, I think I most of it is our IPS.
sh run policy-map
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect ils
inspect pptp
inspect icmp error
inspect ftp
inspect tftp
inspect icmp
inspect http
class global-class
flow-export event-type all destination 192.168.28.136
policy-map ME-DMZ6-IPS-POLICY
class ME-DMZ6-CLASS
ips inline fail-open sensor vs0
policy-map ME-DMZ4-IPS-POLICY
class ME-DMZ4-CLASS
ips inline fail-open sensor vs0
policy-map ME-OUTSIDE-IPS-POLICY
class ME-OUTSIDE-CLASS
ips inline fail-open sensor vs0
policy-map ME-DIGI-WAN-IPS-POLICY
class ME-DIGI-WAN-CLASS
ips inline fail-open sensor vs0
policy-map ME-DIGI-SYSTEMS-IPS-POLICY
class ME-DIGI-SYSTEMS-CLASS
ips inline fail-open sensor vs0
policy-map ME-REC-IPS-POLICY
class ME-REC-CLASS
ips inline fail-open sensor vs0
policy-map ME-DMZ10-IPS-CLASS
class ME-DMZ10-CLASS
ips inline fail-open sensor vs0
So I can just add what you put above?
Thanks
10-22-2013 12:50 AM
Hi,
You already seem to have the both ICMP Inspections enabled in the above configurations.
Make sure you have added the ACL rules to your external interface ACL
access-list
access-list
access-list
access-list
- Jouni
10-22-2013 01:12 AM
Just added those to the inside interface (where I am) and DMZ6 where 172.30.2.1 is and no luck.
This is what I see (sorry I use the ASDM but am learnig the CLI more):
access-list DMZ6_WAN_access_in line 137 extended permit object-group DM_INLINE_SERVICE_36 any any 0xeba5b318
access-list DMZ6_WAN_access_in line 137 extended permit icmp any any (hitcnt=4884) 0xf1f06367
access-list DMZ6_WAN_access_in line 137 extended permit icmp any any echo-reply (hitcnt=0) 0x0afc9265
access-list DMZ6_WAN_access_in line 137 extended permit icmp any any time-exceeded (hitcnt=0) 0x36a14417
access-list DMZ6_WAN_access_in line 137 extended permit icmp any any unreachable (hitcnt=0) 0x3140b5ca
access-list inside_access_in line 292 extended permit object-group DM_INLINE_SERVICE_37 any any 0x5d4fd23c
access-list inside_access_in line 292 extended permit icmp any any (hitcnt=6751) 0xd6183fb5
access-list inside_access_in line 292 extended permit icmp any any echo-reply (hitcnt=0) 0xb2f4960f
access-list inside_access_in line 292 extended permit icmp any any time-exceeded (hitcnt=0) 0x64438bdb
access-list inside_access_in line 292 extended permit icmp any any unreachable (hitcnt=0) 0xa5dece3d
Thanks
10-22-2013 01:17 AM
Hi,
These should be added to the interface ACL that is attached to your ASA interface thats connected to the Internet. These ACL rules allow the reply messages from devices between the path to the device to which you are tracing the route.
- Jouni
10-22-2013 01:32 AM
Hi,
Same issue, athough the WAN link isn't over the internet. I can do traces already to sites over the internet for example to google.
Off the ASA I have a trunk to a 3750 which has all the VLANs to these WAN sites and other VLANs and none can be traced, pings are fine. I have to create subinterfaces off the ASA and add them to the trunk, I assume it is the ASA, but maybe not now.
10-22-2013 02:17 AM
Hi,
To be honest I am not sure I can see what the problem is with the above information.
The already provided commands and link to the document is usually the ones required to get this working.
You can always test ICMP through ASA with "packet-tracer" command to check that the initial direction to your destination network/host is atleast allowed
packet-tracer input icmp
- Jouni
10-22-2013 06:04 AM
Hi,
Here are the results,
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: DMZ6_WAN
output-status: up
output-line-status: up
Action: allow
I just put a laptop on the otherside of the ASA just to prove the trace works to the WAN router and it did, so it definately is the ASA.
Oh well, thanks for you time on this it was most appreciated.
Thanks
10-22-2013 06:10 AM
Hi,
I am not sure if the above partial output tells me anything. And I am not sure of at the actual network layout and where the source and destination are with regards to it and what configurations/rules are applied to the traffic between them.
The ASA itself doesnt show up in the traceroute by default. That can be changed with the instructions on the document I linked. Though I usually leave the ASAs at their default setting regarding this that they dont show up in the traceroute.
I would also monitor the logs while doing the traceroute for example through the ASDM and see if ASA is blocking any of the replys from the devices behind the ASA:
- Jouni
10-22-2013 06:40 AM
Sorry for the lack of output this is what I got:
I upped the logging level, but didn't get anything show as blocked on my syslog server:
packet-tracer input inside icmp 192.168.90.11 8 0 172.30.2.1
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 172.30.2.0 255.255.255.0 DMZ6_WAN
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.90.0 255.255.255.0 inside
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_37 any any
object-group service DM_INLINE_SERVICE_37
service-object icmp
service-object icmp echo-reply
service-object icmp time-exceeded
service-object icmp unreachable
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp error
service-policy global_policy global
Additional Information:
Phase: 7
Type:
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: NAT-EXEMPT
Subtype:
Result: ALLOW
Config:
match ip inside host 192.168.90.11 DMZ6_WAN 172.30.2.0 255.255.255.0
NAT exempt
translate_hits = 236539, untranslate_hits = 0
Additional Information:
Phase: 9
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside) 1 0.0.0.0 0.0.0.0
match ip inside any DMZ6_WAN any
dynamic translation to pool 1 (No matching global)
translate_hits = 21268, untranslate_hits = 0
Additional Information:
Phase: 10
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (inside) 1 0.0.0.0 0.0.0.0
match ip inside any outside any
dynamic translation to pool 1 (81.171.56.166 [Interface PAT])
translate_hits = 105683296, untranslate_hits = 13170795
Additional Information:
Phase: 11
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (DMZ6_WAN) 1 0.0.0.0 0.0.0.0
match ip DMZ6_WAN any outside any
dynamic translation to pool 1 (81.171.56.166 [Interface PAT])
translate_hits = 6954867, untranslate_hits = 951791
Additional Information:
Phase: 12
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 13
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 1912800586, packet dispatched to next module
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: DMZ6_WAN
output-status: up
output-line-status: up
Action: allow
10-22-2013 06:58 AM
Hi
This is the way to allow traceroute through the ASA firewall:
Enable TTL decrement:
policy-map global_policy
class class-default
set connection decrement-ttl
Adjust icmp timeouts:
icmp unreachable rate-limit 5 burst-size 5
On interface access-lists permit UDP packets:
access-list outside-in permit udp any any gt 33433. (or range 33434 to 33464)
Regards
/Peter
10-22-2013 07:31 AM
Get this error.
(config)# class class-default
ERROR: % class-default is a well-known class and is not configurable under class-map
10-22-2013 07:24 AM
Hi,
Your full output of the "packet-tracer" would indicate that there is a NAT0 configuration that is applied to this traffic.
In other words the source address 192.168.90.11 will not be NATed when connecting towards subnet 172.30.2.0/24
Does the hosts on subnet 172.30.2.0/24 have a route to reach network 192.168.90.0/24 through the ASA? (since there is no NAT configured for the network 192.168.90.0/24) Or is the subnet 172.30.2.0/24 perhaps directly connected to the ASA and the ASA is set as the default gateway out of that network?
- Jouni
10-22-2013 07:30 AM
That is right, as we are on 8.2 I have to add a NAT exempt so I keep my source IP. The 172.30.2.0/24 subnet is just one example , 172.30.2.0/24 does have a route to 192.168.90.0/24 as I can ping everything.
The ASA has a route to a local Cisco router that is our WAN router.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide