Re: [OSL | CCIE_Security] Traceroute through ASA

[Paul Stewart]

It definitely doesn't decrement an icmp based traceroute untless you  
configure it to do so. I haven't tested with a unix or ios based udp  
traceroute. Bgp is tcp. I haven't tested with that either.


On Sep 15, 2009, at 9:46 AM, Kingsley Charles <kingsley.char...@gmail.com 
> wrote:

Hi all

From this mail, I understand that ASA does not decrement TTL.

If I configure EBGP, across an ASA the neigbhors connection is not  
esatablished unless I configure "ebgp-multihop 2". This means TTL is  
decremented by one right?

Does ASA decrement TTL by one as router do?


Am I missing something?


With regards
Kings

On Tue, Sep 8, 2009 at 2:06 AM, Paul Stewart <pestew...@gmail.com>  
wrote:
The question asks the make sure the inside hosts can successfully  
traceroute to device on the drawing.  I guess my question is  
centered around the interpretation of what a successful traceroute  
actually is.  If a successful traceroute is one that shows an IP  
address from each layer 3 hop, then we have to decrement packets  
traversing the ASA's.  If not, then its not necessary.  I really  
think it could go either way and would probably ask the proctor if  
the ASAs themselves should be visible in the traceroute or not.

On Mon, Sep 7, 2009 at 4:19 PM, Tyson Scott <tsc...@ipexpert.com>  
wrote:
But Paul the question doesn’t ask anything about this.



Regards,



Tyson Scott - CCIE #13513 R&S and Security

Technical Instructor - IPexpert, Inc.


Telephone: +1.810.326.1444
Cell: +1.248.504.7309
Fax: +1.810.454.0130
Mailto:  tsc...@ipexpert.com



Join our free online support and peer group communities: 
http://www.IPexpert.com/communities



IPexpert - The Global Leader in Self-Study, Classroom-Based, Video  
On Demand and Audio Certification Training Tools for the Cisco CCIE  
R&S Lab, CCIE Security Lab, CCIE Service Provider Lab , CCIE Voice  
Lab and CCIE Storage Lab Certifications.



From: Paul Stewart [mailto:pestew...@gmail.com]
Sent: Monday, September 07, 2009 4:00 PM
To: Tyson Scott
Cc: ccie_security@onlinestudylist.com
Subject: Re: [OSL | CCIE_Security] Traceroute through ASA



Traceroute is only sent out as a type 8 from certain operating  
systems.  Cisco IOS uses UDP port 33434 for traceroute.  Many UNIX  
operating systems use UDP as well.  The relevancy of this is only in  
what type of icmp response is produced.  ICMP produces a standard  
time-exceeded (11/0), where udp produces a port unreachable (3/3).   
My question is as to the transparency of the ASA to a traceroute.   
To make the ASA itself visible in a traceroute you have to decrement  
the TTL.  This is not done by default.  The way to do this is shown  
at the URL below.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml#asatrace

Under "make the firewall show up in a traceroute" you will find the  
following in addition to permitting icmp 11/0 and 3/3

ciscoasa(config)#class-map class-default
ciscoasa(config)#match any

!--- This class-map exists by default.
ciscoasa(config)#policy-map global_policy

!--- This Policy-map exists by default.
ciscoasa(config-pmap)#class class-default

!--- Add another class-map to this policy.
ciscoasa(config-pmap-c)#set connection decrement-ttl

!--- Decrement the IP TTL field for packets traversing the firewall.
!--- By default, the TTL is not decrement hiding (somewhat) the  
firewall.
ciscoasa(config-pmap-c)#exit
ciscoasa(config-pmap)#exit
ciscoasa(config)#service-policy global_policy global

!--- This service-policy exists by default.
WARNING: Policy map global_policy is already configured as a service  
policy

ciscoasa(config)#icmp unreachable rate-limit 10 burst-size 5




On Mon, Sep 7, 2009 at 3:08 PM, Tyson Scott <tsc...@ipexpert.com>  
wrote:

Paul,



By default the ASA will block traceroute.  traceroute is sent out  
with ICMP type 8 but will respond back with ICMP type 3 and 11.   
Test by sending a traceroute and see the traffic drop.



Regards,



Tyson Scott - CCIE #13513 R&S and Security

Technical Instructor - IPexpert, Inc.


Telephone: +1.810.326.1444
Cell: +1.248.504.7309
Fax: +1.810.454.0130
Mailto:  tsc...@ipexpert.com



Join our free online support and peer group communities: 
http://www.IPexpert.com/communities



IPexpert - The Global Leader in Self-Study, Classroom-Based, Video  
On Demand and Audio Certification Training Tools for the Cisco CCIE  
R&S Lab, CCIE Security Lab, CCIE Service Provider Lab , CCIE Voice  
Lab and CCIE Storage Lab Certifications.



From: ccie_security-boun...@onlinestudylist.com  
[mailto:ccie_security-boun...@onlinestudylist.com] On Behalf Of Paul  
Stewart
Sent: Monday, September 07, 2009 1:50 PM
To: ccie_security@onlinestudylist.com
Subject: [OSL | CCIE_Security] Traceroute through ASA



By default the ASA is transparent to a traceroute due to the fact  
that it does not decrement the TTL.  In Vol 2, Lab 11 section 1.3-4  
it specifies that inside hosts should be able to "successfully"  
traceroute to devices on the drawing.  What are the thoughts on  
using the method below to make the ASA visible?  In my opinion, it  
is a gray area, but a successful traceroute should show the layer 3  
devices.

policy-map global_policy
 class class-default
  set connection decrement-ttl





_______________________________________________
For more information regarding industry leading CCIE Lab training,  
please visit www.ipexpert.com


_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com