Hi all >From this mail, I understand that ASA does not decrement TTL.
If I configure EBGP, across an ASA the neigbhors connection is not esatablished unless I configure "ebgp-multihop 2". This means TTL is decremented by one right? Does ASA decrement TTL by one as router do? Am I missing something? With regards Kings On Tue, Sep 8, 2009 at 2:06 AM, Paul Stewart <[email protected]> wrote: > The question asks the make sure the inside hosts can successfully > traceroute to device on the drawing. I guess my question is centered around > the interpretation of what a successful traceroute actually is. If a > successful traceroute is one that shows an IP address from each layer 3 hop, > then we have to decrement packets traversing the ASA's. If not, then its > not necessary. I really think it could go either way and would probably ask > the proctor if the ASAs themselves should be visible in the traceroute or > not. > > On Mon, Sep 7, 2009 at 4:19 PM, Tyson Scott <[email protected]> wrote: > >> But Paul the question doesn’t ask anything about this. >> >> >> >> Regards, >> >> >> >> Tyson Scott - CCIE #13513 R&S and Security >> >> Technical Instructor - IPexpert, Inc. >> >> >> Telephone: +1.810.326.1444 >> Cell: +1.248.504.7309 >> Fax: +1.810.454.0130 >> Mailto: [email protected] >> >> >> >> Join our free online support and peer group communities: >> http://www.IPexpert.com/communities <http://www.ipexpert.com/communities> >> >> >> >> IPexpert - The Global Leader in Self-Study, Classroom-Based, Video On >> Demand and Audio Certification Training Tools for the Cisco CCIE R&S Lab, >> CCIE Security Lab, CCIE Service Provider Lab , CCIE Voice Lab and CCIE >> Storage Lab Certifications. >> >> >> >> *From:* Paul Stewart [mailto:[email protected]] >> *Sent:* Monday, September 07, 2009 4:00 PM >> *To:* Tyson Scott >> *Cc:* [email protected] >> *Subject:* Re: [OSL | CCIE_Security] Traceroute through ASA >> >> >> >> Traceroute is only sent out as a type 8 from certain operating systems. >> Cisco IOS uses UDP port 33434 for traceroute. Many UNIX operating systems >> use UDP as well. The relevancy of this is only in what type of icmp >> response is produced. ICMP produces a standard time-exceeded (11/0), where >> udp produces a port unreachable (3/3). My question is as to the >> transparency of the ASA to a traceroute. To make the ASA itself visible in >> a traceroute you have to decrement the TTL. This is not done by default. >> The way to do this is shown at the URL below. >> >> >> http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml#asatrace >> >> Under "make the firewall show up in a traceroute" you will find the >> following in addition to permitting icmp 11/0 and 3/3 >> >> ciscoasa(config)#class-map class-default >> ciscoasa(config)#match any >> >> !--- This class-map exists by default. >> ciscoasa(config)#policy-map global_policy >> >> !--- This Policy-map exists by default. >> ciscoasa(config-pmap)#class class-default >> >> !--- Add another class-map to this policy. >> ciscoasa(config-pmap-c)#set connection decrement-ttl >> >> !--- Decrement the IP TTL field for packets traversing the firewall. >> !--- By default, the TTL is not decrement hiding (somewhat) the firewall. >> ciscoasa(config-pmap-c)#exit >> ciscoasa(config-pmap)#exit >> ciscoasa(config)#service-policy global_policy global >> >> !--- This service-policy exists by default. >> WARNING: Policy map global_policy is already configured as a service >> policy >> >> ciscoasa(config)#icmp unreachable rate-limit 10 burst-size 5 >> >> >> >> On Mon, Sep 7, 2009 at 3:08 PM, Tyson Scott <[email protected]> wrote: >> >> Paul, >> >> >> >> By default the ASA will block traceroute. traceroute is sent out with >> ICMP type 8 but will respond back with ICMP type 3 and 11. Test by sending >> a traceroute and see the traffic drop. >> >> >> >> Regards, >> >> >> >> Tyson Scott - CCIE #13513 R&S and Security >> >> Technical Instructor - IPexpert, Inc. >> >> >> Telephone: +1.810.326.1444 >> Cell: +1.248.504.7309 >> Fax: +1.810.454.0130 >> Mailto: [email protected] >> >> >> >> Join our free online support and peer group communities: >> http://www.IPexpert.com/communities <http://www.ipexpert.com/communities> >> >> >> >> IPexpert - The Global Leader in Self-Study, Classroom-Based, Video On >> Demand and Audio Certification Training Tools for the Cisco CCIE R&S Lab, >> CCIE Security Lab, CCIE Service Provider Lab , CCIE Voice Lab and CCIE >> Storage Lab Certifications. >> >> >> >> *From:* [email protected] [mailto: >> [email protected]] *On Behalf Of *Paul Stewart >> *Sent:* Monday, September 07, 2009 1:50 PM >> *To:* [email protected] >> *Subject:* [OSL | CCIE_Security] Traceroute through ASA >> >> >> >> By default the ASA is transparent to a traceroute due to the fact that it >> does not decrement the TTL. In Vol 2, Lab 11 section 1.3-4 it specifies >> that inside hosts should be able to "successfully" traceroute to devices on >> the drawing. What are the thoughts on using the method below to make the >> ASA visible? In my opinion, it is a gray area, but a successful traceroute >> should show the layer 3 devices. >> >> policy-map global_policy >> class class-default >> set connection decrement-ttl >> >> >> > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
