Got the answer, ASA doesn't decrement by default. You need to configure "*set connection decrement-ttl" *for the default-class.
With regards Kings On Wed, Sep 16, 2009 at 11:37 AM, Kingsley Charles < [email protected]> wrote: > Hi Tyson > > It works, when I configured "disable-connected-check" as you said. > > But please let me know, if ASA decrements TTL or is transparent in routed > mode? > > > With regards > Kings > > On Tue, Sep 15, 2009 at 11:47 PM, Tyson Scott <[email protected]>wrote: > >> Kingsley, >> >> >> >> The reason for the ebgp multi hop is not because of the decrement of the >> TTL timer by the ASA it is that the neighbor is not directly attached. >> EBGP-multihost actually does two things for you. It disables the connected >> check and it increases the TTL. If you enter neighbor x.x.x.x >> disable-connected-check it will work fine. >> >> >> >> Regards, >> >> >> >> Tyson Scott - CCIE #13513 R&S and Security >> >> Technical Instructor - IPexpert, Inc. >> >> >> Telephone: +1.810.326.1444 >> Cell: +1.248.504.7309 >> Fax: +1.810.454.0130 >> Mailto: [email protected] >> >> >> >> Join our free online support and peer group communities: >> http://www.IPexpert.com/communities <http://www.ipexpert.com/communities> >> >> >> >> IPexpert - The Global Leader in Self-Study, Classroom-Based, Video On >> Demand and Audio Certification Training Tools for the Cisco CCIE R&S Lab, >> CCIE Security Lab, CCIE Service Provider Lab , CCIE Voice Lab and CCIE >> Storage Lab Certifications. >> >> >> >> *From:* Kingsley Charles [mailto:[email protected]] >> *Sent:* Tuesday, September 15, 2009 9:46 AM >> *To:* Paul Stewart; Tyson Scott; [email protected] >> >> *Subject:* Re: [OSL | CCIE_Security] Traceroute through ASA >> >> >> >> Hi all >> >> >> >> From this mail, I understand that ASA does not decrement TTL. >> >> >> >> If I configure EBGP, across an ASA the neigbhors connection is not >> esatablished unless I configure "ebgp-multihop 2". This means TTL is >> decremented by one right? >> >> >> >> Does ASA decrement TTL by one as router do? >> >> >> >> >> >> Am I missing something? >> >> >> >> >> >> With regards >> >> Kings >> >> On Tue, Sep 8, 2009 at 2:06 AM, Paul Stewart <[email protected]> wrote: >> >> The question asks the make sure the inside hosts can successfully >> traceroute to device on the drawing. I guess my question is centered around >> the interpretation of what a successful traceroute actually is. If a >> successful traceroute is one that shows an IP address from each layer 3 hop, >> then we have to decrement packets traversing the ASA's. If not, then its >> not necessary. I really think it could go either way and would probably ask >> the proctor if the ASAs themselves should be visible in the traceroute or >> not. >> >> >> >> On Mon, Sep 7, 2009 at 4:19 PM, Tyson Scott <[email protected]> wrote: >> >> But Paul the question doesn’t ask anything about this. >> >> >> >> Regards, >> >> >> >> Tyson Scott - CCIE #13513 R&S and Security >> >> Technical Instructor - IPexpert, Inc. >> >> >> Telephone: +1.810.326.1444 >> Cell: +1.248.504.7309 >> Fax: +1.810.454.0130 >> Mailto: [email protected] >> >> >> >> Join our free online support and peer group communities: >> http://www.IPexpert.com/communities <http://www.ipexpert.com/communities> >> >> >> >> IPexpert - The Global Leader in Self-Study, Classroom-Based, Video On >> Demand and Audio Certification Training Tools for the Cisco CCIE R&S Lab, >> CCIE Security Lab, CCIE Service Provider Lab , CCIE Voice Lab and CCIE >> Storage Lab Certifications. >> >> >> >> *From:* Paul Stewart [mailto:[email protected]] >> *Sent:* Monday, September 07, 2009 4:00 PM >> *To:* Tyson Scott >> *Cc:* [email protected] >> *Subject:* Re: [OSL | CCIE_Security] Traceroute through ASA >> >> >> >> Traceroute is only sent out as a type 8 from certain operating systems. >> Cisco IOS uses UDP port 33434 for traceroute. Many UNIX operating systems >> use UDP as well. The relevancy of this is only in what type of icmp >> response is produced. ICMP produces a standard time-exceeded (11/0), where >> udp produces a port unreachable (3/3). My question is as to the >> transparency of the ASA to a traceroute. To make the ASA itself visible in >> a traceroute you have to decrement the TTL. This is not done by default. >> The way to do this is shown at the URL below. >> >> >> http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml#asatrace >> >> Under "make the firewall show up in a traceroute" you will find the >> following in addition to permitting icmp 11/0 and 3/3 >> >> ciscoasa(config)#class-map class-default >> ciscoasa(config)#match any >> >> !--- This class-map exists by default. >> ciscoasa(config)#policy-map global_policy >> >> !--- This Policy-map exists by default. >> ciscoasa(config-pmap)#class class-default >> >> !--- Add another class-map to this policy. >> ciscoasa(config-pmap-c)#set connection decrement-ttl >> >> !--- Decrement the IP TTL field for packets traversing the firewall. >> !--- By default, the TTL is not decrement hiding (somewhat) the firewall. >> ciscoasa(config-pmap-c)#exit >> ciscoasa(config-pmap)#exit >> ciscoasa(config)#service-policy global_policy global >> >> !--- This service-policy exists by default. >> WARNING: Policy map global_policy is already configured as a service >> policy >> >> ciscoasa(config)#icmp unreachable rate-limit 10 burst-size 5 >> >> >> On Mon, Sep 7, 2009 at 3:08 PM, Tyson Scott <[email protected]> wrote: >> >> Paul, >> >> >> >> By default the ASA will block traceroute. traceroute is sent out with >> ICMP type 8 but will respond back with ICMP type 3 and 11. Test by sending >> a traceroute and see the traffic drop. >> >> >> >> Regards, >> >> >> >> Tyson Scott - CCIE #13513 R&S and Security >> >> Technical Instructor - IPexpert, Inc. >> >> >> Telephone: +1.810.326.1444 >> Cell: +1.248.504.7309 >> Fax: +1.810.454.0130 >> Mailto: [email protected] >> >> >> >> Join our free online support and peer group communities: >> http://www.IPexpert.com/communities <http://www.ipexpert.com/communities> >> >> >> >> IPexpert - The Global Leader in Self-Study, Classroom-Based, Video On >> Demand and Audio Certification Training Tools for the Cisco CCIE R&S Lab, >> CCIE Security Lab, CCIE Service Provider Lab , CCIE Voice Lab and CCIE >> Storage Lab Certifications. >> >> >> >> *From:* [email protected] [mailto: >> [email protected]] *On Behalf Of *Paul Stewart >> *Sent:* Monday, September 07, 2009 1:50 PM >> *To:* [email protected] >> *Subject:* [OSL | CCIE_Security] Traceroute through ASA >> >> >> >> By default the ASA is transparent to a traceroute due to the fact that it >> does not decrement the TTL. In Vol 2, Lab 11 section 1.3-4 it specifies >> that inside hosts should be able to "successfully" traceroute to devices on >> the drawing. What are the thoughts on using the method below to make the >> ASA visible? In my opinion, it is a gray area, but a successful traceroute >> should show the layer 3 devices. >> >> policy-map global_policy >> class class-default >> set connection decrement-ttl >> >> >> >> >> >> >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com >> >> >> > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
