Kings,
This is an example which works for me.
Topology
(lo0 1.1.1.1)R1(f0/0 10.1.101.1) --- (inside 10.1.101.10)ASA(outside
10.1.102.10) --- (f0/0 10.1.102.2)R2(lo0 2.2.2.2)
RIPv2 is working to there to establish full connectivity.
Config:
ASA-FW(config)# static (IN,OUT) 10.1.102.1 10.1.101.1
ASA-FW(config)# access-list OUTSIDE_IN permit udp any any
ASA-FW(config)# access-group OUTSIDE_IN in interface OUT
ASA-FW(config)# policy-map global_policy
ASA-FW(config-pmap)# class inspection_default
ASA-FW(config-pmap-c)# inspect icmp error
ASA-FW(config-pmap-c)# exit
ASA-FW(config-pmap)# exit
Verification
Before enabling ICMP error inspection
R2#traceroute 1.1.1.1
Type escape sequence to abort.
Tracing the route to 1.1.1.1
1 10.1.101.1 252 msec 212 msec *
After enabling ICMP error inspection
R2#traceroute 1.1.1.1
Type escape sequence to abort.
Tracing the route to 1.1.1.1
1 10.1.102.1 200 msec 120 msec *
ASA-FW(config)# sh service-policy global
Global policy:
Service-policy: global_policy
Class-map: inspection_default
Inspect: dns preset_dns_map, packet 0, drop 0, reset-drop 0
Inspect: ftp, packet 0, drop 0, reset-drop 0
Inspect: h323 h225 _default_h323_map, packet 0, drop 0, reset-drop 0
Inspect: h323 ras _default_h323_map, packet 0, drop 0, reset-drop 0
Inspect: netbios, packet 0, drop 0, reset-drop 0
Inspect: rsh, packet 0, drop 0, reset-drop 0
Inspect: rtsp, packet 0, drop 0, reset-drop 0
Inspect: skinny , packet 0, drop 0, reset-drop 0
Inspect: esmtp _default_esmtp_map, packet 0, drop 0, reset-drop 0
Inspect: sqlnet, packet 0, drop 0, reset-drop 0
Inspect: sunrpc, packet 0, drop 0, reset-drop 0
Inspect: tftp, packet 0, drop 0, reset-drop 0
Inspect: sip , packet 0, drop 0, reset-drop 0
Inspect: xdmcp, packet 0, drop 0, reset-drop 0
Inspect: icmp, packet 60, drop 0, reset-drop 0
Inspect: icmp error, packet 2, drop 0, reset-drop 0
HTH,
--
Piotr Matusiak
CCIE #19860 (R&S, Security)
2010/1/25 Kingsley Charles <[email protected]>
> Hi Tyson
>
> I have no issues in configuring ASA to allow traceroute.
>
> But I am not able to get the picture of where to use inspect icmp error. I
> tried scenarios but it didn;t work.
>
> Just wanted to understand why ASA have provided the inspect icmp error
> option.
>
>
>
>
> With regards
> Kings
>
>
>
>
> On Mon, Jan 25, 2010 at 5:55 PM, Tyson Scott <[email protected]> wrote:
>
>> Kingsley,
>>
>>
>>
>> Are you wanting to allow traceroute in both directions?
>>
>>
>>
>> Regards,
>>
>>
>>
>> Tyson Scott - CCIE #13513 R&S, Security, and SP
>>
>> Technical Instructor - IPexpert, Inc.
>>
>> Mailto: [email protected]
>>
>> Telephone: +1.810.326.1444, ext. 208
>>
>> Live Assistance, Please visit: www.ipexpert.com/chat
>>
>> eFax: +1.810.454.0130
>>
>>
>>
>> IPexpert is a premier provider of Classroom and Self-Study Cisco CCNA
>> (R&S, Voice & Security), CCNP, CCVP, CCSP and CCIE (R&S, Voice, Security &
>> Service Provider) Certification Training with locations throughout the
>> United States, Europe and Australia. Be sure to check out our online
>> communities at www.ipexpert.com/communities and our public website at
>> www.ipexpert.com
>>
>>
>>
>> *From:* [email protected] [mailto:
>> [email protected]] *On Behalf Of *Kingsley
>> Charles
>> *Sent:* Monday, January 25, 2010 5:01 AM
>> *To:* Piotr Matusiak
>> *Cc:* [email protected]
>> *Subject:* Re: [OSL | CCIE_Security] inspect icmp error
>>
>>
>>
>> Hi Piotr
>>
>>
>>
>> This is the ACL on the outside interface.
>>
>>
>>
>> ciscoasa# sh run access-list 120
>> access-list 120 extended permit udp any any range 33434 33464
>> access-list 120 extended permit icmp any any echo
>> access-list 120 extended permit icmp any any unreachable
>> access-list 120 extended permit icmp any any time-exceeded
>> access-list 120 extended permit icmp any any echo-reply
>>
>>
>>
>> With regards
>>
>> Kings
>>
>> On Mon, Jan 25, 2010 at 3:28 PM, Piotr Matusiak <[email protected]> wrote:
>>
>> Kings,
>>
>> Have you opened a hole for UDP packets (traceroute) in the outside ACL?
>>
>> HTH,
>> --
>> Piotr Matusiak
>> CCIE #19860 (R&S, Security)
>>
>>
>>
>> 2010/1/25 Kingsley Charles <[email protected]>
>>
>> Hi Piotr
>>
>>
>>
>> I did try that before sending this mail. The traceroute just prints "*"
>> and no Ip addresses are present.
>>
>>
>>
>> How can you traceroute to an unstranslated IP address from a lower
>> security level interface.
>>
>>
>>
>>
>>
>> With regards
>>
>> Kings
>>
>> On Mon, Jan 25, 2010 at 2:51 PM, Piotr Matusiak <[email protected]> wrote:
>>
>> Hi,
>>
>> You must traceroute private (untranslated) IP address of the host in the
>> inside network to see the difference.
>>
>> For example:
>>
>> (lo0)R1 -10.1.1.0- (out)ASA(in) -10.2.2.0- R2(lo0)
>>
>> Assuming you have the following translation on the ASA:
>> static (in,out) 10.1.1.99 10.2.2.2
>>
>> Run the following command on R1:
>> traceroute <R2-lo0>
>>
>> You will see that ASA translates ICMP time-exceeded or unreachable IP
>> address to 10.1.1.99 (if you have icmp error inspection enabled). If not,
>> you will see untranslated IP address of R2 (10.2.2.2).
>>
>>
>> HTH,
>> Piotr Matusiak
>>
>>
>> 2010/1/25 Kingsley Charles <[email protected]>
>>
>> Hi all
>>
>>
>>
>> Can someone please let me know, where would we actually use "inspect icmp
>> error". I am not getting the right explanation.
>>
>>
>>
>>
>> http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/i2.html#wp1726194
>>
>>
>>
>>
>>
>> With inspect icmp error enabled, I tried to IOS traceroute from outside to
>> a host behind the ASA. With "set connection decrement-ttl", the internel
>> address is revealed.
>>
>>
>>
>> Do we use "inspect icmp error", to reveal the actual internal IP address?
>>
>>
>>
>>
>>
>>
>>
>> With regards
>>
>> Kings
>>
>>
>>
>> _______________________________________________
>> For more information regarding industry leading CCIE Lab training, please
>> visit www.ipexpert.com
>>
>>
>>
>>
>>
>>
>>
>>
>>
>
>
> _______________________________________________
> For more information regarding industry leading CCIE Lab training, please
> visit www.ipexpert.com
>
>
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
