But Paul the question doesn't ask anything about this.
Regards, Tyson Scott - CCIE #13513 R&S and Security Technical Instructor - IPexpert, Inc. Telephone: +1.810.326.1444 Cell: +1.248.504.7309 Fax: +1.810.454.0130 Mailto: [email protected] Join our free online support and peer group communities: <http://www.IPexpert.com/communities> http://www.IPexpert.com/communities IPexpert - The Global Leader in Self-Study, Classroom-Based, Video On Demand and Audio Certification Training Tools for the Cisco CCIE R&S Lab, CCIE Security Lab, CCIE Service Provider Lab , CCIE Voice Lab and CCIE Storage Lab Certifications. From: Paul Stewart [mailto:[email protected]] Sent: Monday, September 07, 2009 4:00 PM To: Tyson Scott Cc: [email protected] Subject: Re: [OSL | CCIE_Security] Traceroute through ASA Traceroute is only sent out as a type 8 from certain operating systems. Cisco IOS uses UDP port 33434 for traceroute. Many UNIX operating systems use UDP as well. The relevancy of this is only in what type of icmp response is produced. ICMP produces a standard time-exceeded (11/0), where udp produces a port unreachable (3/3). My question is as to the transparency of the ASA to a traceroute. To make the ASA itself visible in a traceroute you have to decrement the TTL. This is not done by default. The way to do this is shown at the URL below. http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note0918 6a0080094e8a.shtml#asatrace Under "make the firewall show up in a traceroute" you will find the following in addition to permitting icmp 11/0 and 3/3 ciscoasa(config)#class-map class-default ciscoasa(config)#match any !--- This class-map exists by default. ciscoasa(config)#policy-map global_policy !--- This Policy-map exists by default. ciscoasa(config-pmap)#class class-default !--- Add another class-map to this policy. ciscoasa(config-pmap-c)#set connection decrement-ttl !--- Decrement the IP TTL field for packets traversing the firewall. !--- By default, the TTL is not decrement hiding (somewhat) the firewall. ciscoasa(config-pmap-c)#exit ciscoasa(config-pmap)#exit ciscoasa(config)#service-policy global_policy global !--- This service-policy exists by default. WARNING: Policy map global_policy is already configured as a service policy ciscoasa(config)#icmp unreachable rate-limit 10 burst-size 5 On Mon, Sep 7, 2009 at 3:08 PM, Tyson Scott <[email protected]> wrote: Paul, By default the ASA will block traceroute. traceroute is sent out with ICMP type 8 but will respond back with ICMP type 3 and 11. Test by sending a traceroute and see the traffic drop. Regards, Tyson Scott - CCIE #13513 R&S and Security Technical Instructor - IPexpert, Inc. Telephone: +1.810.326.1444 Cell: +1.248.504.7309 Fax: +1.810.454.0130 Mailto: [email protected] Join our free online support and peer group communities: <http://www.IPexpert.com/communities> http://www.IPexpert.com/communities IPexpert - The Global Leader in Self-Study, Classroom-Based, Video On Demand and Audio Certification Training Tools for the Cisco CCIE R&S Lab, CCIE Security Lab, CCIE Service Provider Lab , CCIE Voice Lab and CCIE Storage Lab Certifications. From: [email protected] [mailto:[email protected]] On Behalf Of Paul Stewart Sent: Monday, September 07, 2009 1:50 PM To: [email protected] Subject: [OSL | CCIE_Security] Traceroute through ASA By default the ASA is transparent to a traceroute due to the fact that it does not decrement the TTL. In Vol 2, Lab 11 section 1.3-4 it specifies that inside hosts should be able to "successfully" traceroute to devices on the drawing. What are the thoughts on using the method below to make the ASA visible? In my opinion, it is a gray area, but a successful traceroute should show the layer 3 devices. policy-map global_policy class class-default set connection decrement-ttl
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
