Hi,

Thanks for the instant reply wow!

This is what I have, I think I most of it is our IPS.

sh run policy-map

!

policy-map type inspect dns migrated_dns_map_1

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns migrated_dns_map_1

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect ils

  inspect pptp

  inspect icmp error

  inspect ftp

  inspect tftp

  inspect icmp

  inspect http

class global-class

  flow-export event-type all destination 192.168.28.136

policy-map ME-DMZ6-IPS-POLICY

class ME-DMZ6-CLASS

  ips inline fail-open sensor vs0

policy-map ME-DMZ4-IPS-POLICY

class ME-DMZ4-CLASS

  ips inline fail-open sensor vs0

policy-map ME-OUTSIDE-IPS-POLICY

class ME-OUTSIDE-CLASS

  ips inline fail-open sensor vs0

policy-map ME-DIGI-WAN-IPS-POLICY

class ME-DIGI-WAN-CLASS

  ips inline fail-open sensor vs0

policy-map ME-DIGI-SYSTEMS-IPS-POLICY

class ME-DIGI-SYSTEMS-CLASS

  ips inline fail-open sensor vs0

policy-map ME-REC-IPS-POLICY

class ME-REC-CLASS

  ips inline fail-open sensor vs0

policy-map ME-DMZ10-IPS-CLASS

class ME-DMZ10-CLASS

  ips inline fail-open sensor vs0

So I can just add what you put above?

Thanks

Hi,

You already seem to have the both ICMP Inspections enabled in the above configurations.

Make sure you have added the ACL rules to your external interface ACL

access-list line 1 remark ICMP

access-list line 2 permit icmp any any echo-reply

access-list line 3 permit icmp any any time-exceeded

access-list line 4 permit icmp any any unreachable

- Jouni

Just added those to the inside interface (where I am) and DMZ6 where 172.30.2.1 is and no luck.

This is what I see (sorry I use the ASDM but am learnig the CLI more):

access-list DMZ6_WAN_access_in line 137 extended permit object-group DM_INLINE_SERVICE_36 any any 0xeba5b318

  access-list DMZ6_WAN_access_in line 137 extended permit icmp any any (hitcnt=4884) 0xf1f06367

  access-list DMZ6_WAN_access_in line 137 extended permit icmp any any echo-reply (hitcnt=0) 0x0afc9265

  access-list DMZ6_WAN_access_in line 137 extended permit icmp any any time-exceeded (hitcnt=0) 0x36a14417

  access-list DMZ6_WAN_access_in line 137 extended permit icmp any any unreachable (hitcnt=0) 0x3140b5ca

access-list inside_access_in line 292 extended permit object-group DM_INLINE_SERVICE_37 any any 0x5d4fd23c

  access-list inside_access_in line 292 extended permit icmp any any (hitcnt=6751) 0xd6183fb5

  access-list inside_access_in line 292 extended permit icmp any any echo-reply (hitcnt=0) 0xb2f4960f

  access-list inside_access_in line 292 extended permit icmp any any time-exceeded (hitcnt=0) 0x64438bdb

  access-list inside_access_in line 292 extended permit icmp any any unreachable (hitcnt=0) 0xa5dece3d

Thanks

Hi,

These should be added to the interface ACL that is attached to your ASA interface thats connected to the Internet. These ACL rules allow the reply messages from devices between the path to the device to which you are tracing the route.

- Jouni

Hi,

Same issue, athough the WAN link isn't over the internet.  I can do traces already to sites over the internet for example to google.

Off the ASA I have a trunk to a 3750 which has all the VLANs to these WAN sites and other VLANs and none can be traced, pings are fine.  I have to create subinterfaces off the ASA and add them to the trunk, I assume it is the ASA, but maybe not now.

Hi,

To be honest I am not sure I can see what the problem is with the above information.

The already provided commands and link to the document is usually the ones required to get this working.

You can always test ICMP through ASA with "packet-tracer" command to check that the initial direction to your destination network/host is atleast allowed

packet-tracer input icmp 8 0

- Jouni

Hi,

Here are the results,

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: DMZ6_WAN

output-status: up

output-line-status: up

Action: allow

I just put a laptop on the otherside of the ASA just to prove the trace works to the WAN router and it did, so it definately is the ASA.

Oh well, thanks for you time on this it was most appreciated.

Thanks

Hi,

I am not sure if the above partial output tells me anything. And I am not sure of at the actual network layout and where the source and destination are with regards to it and what configurations/rules are applied to the traffic between them.

The ASA itself doesnt show up in the traceroute by default. That can be changed with the instructions on the document I linked. Though I usually leave the ASAs at their default setting regarding this that they dont show up in the traceroute.

I would also monitor the logs while doing the traceroute for example through the ASDM and see if ASA is blocking any of the replys from the devices behind the ASA:

- Jouni

Sorry for the lack of output this is what I got:

I upped the logging level, but didn't get anything show as blocked on my syslog server:

packet-tracer input inside icmp 192.168.90.11 8 0 172.30.2.1

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   172.30.2.0      255.255.255.0   DMZ6_WAN

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   192.168.90.0    255.255.255.0   inside

Phase: 3

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group inside_access_in in interface inside

access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_37 any any

object-group service DM_INLINE_SERVICE_37

service-object icmp

service-object icmp echo-reply

service-object icmp time-exceeded

service-object icmp unreachable

Additional Information:

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

class-map inspection_default

match default-inspection-traffic

policy-map global_policy

class inspection_default

  inspect icmp error

service-policy global_policy global

Additional Information:

Phase: 7

Type:

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 8

Type: NAT-EXEMPT

Subtype:

Result: ALLOW

Config:

  match ip inside host 192.168.90.11 DMZ6_WAN 172.30.2.0 255.255.255.0

    NAT exempt

    translate_hits = 236539, untranslate_hits = 0

Additional Information:

Phase: 9

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (inside) 1 0.0.0.0 0.0.0.0

  match ip inside any DMZ6_WAN any

    dynamic translation to pool 1 (No matching global)

    translate_hits = 21268, untranslate_hits = 0

Additional Information:

Phase: 10

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

nat (inside) 1 0.0.0.0 0.0.0.0

  match ip inside any outside any

    dynamic translation to pool 1 (81.171.56.166 [Interface PAT])

    translate_hits = 105683296, untranslate_hits = 13170795

Additional Information:

Phase: 11

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

nat (DMZ6_WAN) 1 0.0.0.0 0.0.0.0

  match ip DMZ6_WAN any outside any

    dynamic translation to pool 1 (81.171.56.166 [Interface PAT])

    translate_hits = 6954867, untranslate_hits = 951791

Additional Information:

Phase: 12

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 13

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 1912800586, packet dispatched to next module

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: DMZ6_WAN

output-status: up

output-line-status: up

Action: allow

Hi

This is the way to allow traceroute through the ASA firewall:

Enable TTL decrement:

  policy-map global_policy

    class class-default

    set connection decrement-ttl

Adjust icmp timeouts:

  icmp unreachable rate-limit 5 burst-size 5

On interface access-lists permit UDP packets:

  access-list outside-in permit udp any any gt 33433.  (or range 33434 to 33464)

Regards

/Peter

Get this error.

(config)# class class-default

ERROR: % class-default is a well-known class and is not configurable under class-map

Hi,

Your full output of the "packet-tracer" would indicate that there is a NAT0 configuration that is applied to this traffic.

In other words the source address 192.168.90.11 will not be NATed when connecting towards subnet 172.30.2.0/24

Does the hosts on subnet 172.30.2.0/24 have a route to reach network 192.168.90.0/24 through the ASA? (since there is no NAT configured for the network 192.168.90.0/24) Or is the subnet 172.30.2.0/24 perhaps directly connected to the ASA and the ASA is set as the default gateway out of that network?

- Jouni

That is right, as we are on 8.2 I have to add a NAT exempt so I keep my source IP.  The 172.30.2.0/24 subnet is just one example , 172.30.2.0/24 does have a route to 192.168.90.0/24 as I can ping everything.

The ASA has a route to a local Cisco router that is our WAN router.