Kingsley,
The reason for the ebgp multi hop is not because of the decrement of the TTL timer by the ASA it is that the neighbor is not directly attached. EBGP-multihost actually does two things for you. It disables the connected check and it increases the TTL. If you enter neighbor x.x.x.x disable-connected-check it will work fine. Regards, Tyson Scott - CCIE #13513 R&S and Security Technical Instructor - IPexpert, Inc. Telephone: +1.810.326.1444 Cell: +1.248.504.7309 Fax: +1.810.454.0130 Mailto: [email protected] Join our free online support and peer group communities: <http://www.IPexpert.com/communities> http://www.IPexpert.com/communities IPexpert - The Global Leader in Self-Study, Classroom-Based, Video On Demand and Audio Certification Training Tools for the Cisco CCIE R&S Lab, CCIE Security Lab, CCIE Service Provider Lab , CCIE Voice Lab and CCIE Storage Lab Certifications. From: Kingsley Charles [mailto:[email protected]] Sent: Tuesday, September 15, 2009 9:46 AM To: Paul Stewart; Tyson Scott; [email protected] Subject: Re: [OSL | CCIE_Security] Traceroute through ASA Hi all >From this mail, I understand that ASA does not decrement TTL. If I configure EBGP, across an ASA the neigbhors connection is not esatablished unless I configure "ebgp-multihop 2". This means TTL is decremented by one right? Does ASA decrement TTL by one as router do? Am I missing something? With regards Kings On Tue, Sep 8, 2009 at 2:06 AM, Paul Stewart <[email protected]> wrote: The question asks the make sure the inside hosts can successfully traceroute to device on the drawing. I guess my question is centered around the interpretation of what a successful traceroute actually is. If a successful traceroute is one that shows an IP address from each layer 3 hop, then we have to decrement packets traversing the ASA's. If not, then its not necessary. I really think it could go either way and would probably ask the proctor if the ASAs themselves should be visible in the traceroute or not. On Mon, Sep 7, 2009 at 4:19 PM, Tyson Scott <[email protected]> wrote: But Paul the question doesn't ask anything about this. Regards, Tyson Scott - CCIE #13513 R&S and Security Technical Instructor - IPexpert, Inc. Telephone: +1.810.326.1444 Cell: +1.248.504.7309 Fax: +1.810.454.0130 Mailto: [email protected] Join our free online support and peer group communities: <http://www.ipexpert.com/communities> http://www.IPexpert.com/communities IPexpert - The Global Leader in Self-Study, Classroom-Based, Video On Demand and Audio Certification Training Tools for the Cisco CCIE R&S Lab, CCIE Security Lab, CCIE Service Provider Lab , CCIE Voice Lab and CCIE Storage Lab Certifications. From: Paul Stewart [mailto:[email protected]] Sent: Monday, September 07, 2009 4:00 PM To: Tyson Scott Cc: [email protected] Subject: Re: [OSL | CCIE_Security] Traceroute through ASA Traceroute is only sent out as a type 8 from certain operating systems. Cisco IOS uses UDP port 33434 for traceroute. Many UNIX operating systems use UDP as well. The relevancy of this is only in what type of icmp response is produced. ICMP produces a standard time-exceeded (11/0), where udp produces a port unreachable (3/3). My question is as to the transparency of the ASA to a traceroute. To make the ASA itself visible in a traceroute you have to decrement the TTL. This is not done by default. The way to do this is shown at the URL below. http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note0918 6a0080094e8a.shtml#asatrace Under "make the firewall show up in a traceroute" you will find the following in addition to permitting icmp 11/0 and 3/3 ciscoasa(config)#class-map class-default ciscoasa(config)#match any !--- This class-map exists by default. ciscoasa(config)#policy-map global_policy !--- This Policy-map exists by default. ciscoasa(config-pmap)#class class-default !--- Add another class-map to this policy. ciscoasa(config-pmap-c)#set connection decrement-ttl !--- Decrement the IP TTL field for packets traversing the firewall. !--- By default, the TTL is not decrement hiding (somewhat) the firewall. ciscoasa(config-pmap-c)#exit ciscoasa(config-pmap)#exit ciscoasa(config)#service-policy global_policy global !--- This service-policy exists by default. WARNING: Policy map global_policy is already configured as a service policy ciscoasa(config)#icmp unreachable rate-limit 10 burst-size 5 On Mon, Sep 7, 2009 at 3:08 PM, Tyson Scott <[email protected]> wrote: Paul, By default the ASA will block traceroute. traceroute is sent out with ICMP type 8 but will respond back with ICMP type 3 and 11. Test by sending a traceroute and see the traffic drop. Regards, Tyson Scott - CCIE #13513 R&S and Security Technical Instructor - IPexpert, Inc. Telephone: +1.810.326.1444 Cell: +1.248.504.7309 Fax: +1.810.454.0130 Mailto: [email protected] Join our free online support and peer group communities: <http://www.ipexpert.com/communities> http://www.IPexpert.com/communities IPexpert - The Global Leader in Self-Study, Classroom-Based, Video On Demand and Audio Certification Training Tools for the Cisco CCIE R&S Lab, CCIE Security Lab, CCIE Service Provider Lab , CCIE Voice Lab and CCIE Storage Lab Certifications. From: [email protected] [mailto:[email protected]] On Behalf Of Paul Stewart Sent: Monday, September 07, 2009 1:50 PM To: [email protected] Subject: [OSL | CCIE_Security] Traceroute through ASA By default the ASA is transparent to a traceroute due to the fact that it does not decrement the TTL. In Vol 2, Lab 11 section 1.3-4 it specifies that inside hosts should be able to "successfully" traceroute to devices on the drawing. What are the thoughts on using the method below to make the ASA visible? In my opinion, it is a gray area, but a successful traceroute should show the layer 3 devices. policy-map global_policy class class-default set connection decrement-ttl _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com <http://www.ipexpert.com/>
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
