Thx Piotr/Tyson. It worked. The issue was that I didn't configure static nat that translated the loopback address back to the same address for generating ARP response.
With regards Kings On Mon, Jan 25, 2010 at 6:55 PM, Piotr Matusiak <[email protected]> wrote: > Kings, > > This is an example which works for me. > Topology > > (lo0 1.1.1.1)R1(f0/0 10.1.101.1) --- (inside 10.1.101.10)ASA(outside > 10.1.102.10) --- (f0/0 10.1.102.2)R2(lo0 2.2.2.2) > > RIPv2 is working to there to establish full connectivity. > > > Config: > > ASA-FW(config)# static (IN,OUT) 10.1.102.1 10.1.101.1 > > ASA-FW(config)# access-list OUTSIDE_IN permit udp any any > ASA-FW(config)# access-group OUTSIDE_IN in interface OUT > > ASA-FW(config)# policy-map global_policy > ASA-FW(config-pmap)# class inspection_default > ASA-FW(config-pmap-c)# inspect icmp error > ASA-FW(config-pmap-c)# exit > ASA-FW(config-pmap)# exit > > > > Verification > Before enabling ICMP error inspection > > R2#traceroute 1.1.1.1 > > Type escape sequence to abort. > Tracing the route to 1.1.1.1 > > 1 10.1.101.1 252 msec 212 msec * > > > After enabling ICMP error inspection > > R2#traceroute 1.1.1.1 > > Type escape sequence to abort. > Tracing the route to 1.1.1.1 > > 1 10.1.102.1 200 msec 120 msec * > > > > ASA-FW(config)# sh service-policy global > > Global policy: > Service-policy: global_policy > Class-map: inspection_default > Inspect: dns preset_dns_map, packet 0, drop 0, reset-drop 0 > Inspect: ftp, packet 0, drop 0, reset-drop 0 > Inspect: h323 h225 _default_h323_map, packet 0, drop 0, reset-drop 0 > Inspect: h323 ras _default_h323_map, packet 0, drop 0, reset-drop 0 > Inspect: netbios, packet 0, drop 0, reset-drop 0 > Inspect: rsh, packet 0, drop 0, reset-drop 0 > Inspect: rtsp, packet 0, drop 0, reset-drop 0 > Inspect: skinny , packet 0, drop 0, reset-drop 0 > Inspect: esmtp _default_esmtp_map, packet 0, drop 0, reset-drop 0 > Inspect: sqlnet, packet 0, drop 0, reset-drop 0 > Inspect: sunrpc, packet 0, drop 0, reset-drop 0 > Inspect: tftp, packet 0, drop 0, reset-drop 0 > Inspect: sip , packet 0, drop 0, reset-drop 0 > Inspect: xdmcp, packet 0, drop 0, reset-drop 0 > Inspect: icmp, packet 60, drop 0, reset-drop 0 > Inspect: icmp error, packet 2, drop 0, reset-drop 0 > > > > HTH, > -- > Piotr Matusiak > CCIE #19860 (R&S, Security) > > > > 2010/1/25 Kingsley Charles <[email protected]> > >> Hi Tyson >> >> I have no issues in configuring ASA to allow traceroute. >> >> But I am not able to get the picture of where to use inspect icmp error. I >> tried scenarios but it didn;t work. >> >> Just wanted to understand why ASA have provided the inspect icmp error >> option. >> >> >> >> >> With regards >> Kings >> >> >> >> >> On Mon, Jan 25, 2010 at 5:55 PM, Tyson Scott <[email protected]> wrote: >> >>> Kingsley, >>> >>> >>> >>> Are you wanting to allow traceroute in both directions? >>> >>> >>> >>> Regards, >>> >>> >>> >>> Tyson Scott - CCIE #13513 R&S, Security, and SP >>> >>> Technical Instructor - IPexpert, Inc. >>> >>> Mailto: [email protected] >>> >>> Telephone: +1.810.326.1444, ext. 208 >>> >>> Live Assistance, Please visit: www.ipexpert.com/chat >>> >>> eFax: +1.810.454.0130 >>> >>> >>> >>> IPexpert is a premier provider of Classroom and Self-Study Cisco CCNA >>> (R&S, Voice & Security), CCNP, CCVP, CCSP and CCIE (R&S, Voice, Security & >>> Service Provider) Certification Training with locations throughout the >>> United States, Europe and Australia. Be sure to check out our online >>> communities at www.ipexpert.com/communities and our public website at >>> www.ipexpert.com >>> >>> >>> >>> *From:* [email protected] [mailto: >>> [email protected]] *On Behalf Of *Kingsley >>> Charles >>> *Sent:* Monday, January 25, 2010 5:01 AM >>> *To:* Piotr Matusiak >>> *Cc:* [email protected] >>> *Subject:* Re: [OSL | CCIE_Security] inspect icmp error >>> >>> >>> >>> Hi Piotr >>> >>> >>> >>> This is the ACL on the outside interface. >>> >>> >>> >>> ciscoasa# sh run access-list 120 >>> access-list 120 extended permit udp any any range 33434 33464 >>> access-list 120 extended permit icmp any any echo >>> access-list 120 extended permit icmp any any unreachable >>> access-list 120 extended permit icmp any any time-exceeded >>> access-list 120 extended permit icmp any any echo-reply >>> >>> >>> >>> With regards >>> >>> Kings >>> >>> On Mon, Jan 25, 2010 at 3:28 PM, Piotr Matusiak <[email protected]> wrote: >>> >>> Kings, >>> >>> Have you opened a hole for UDP packets (traceroute) in the outside ACL? >>> >>> HTH, >>> -- >>> Piotr Matusiak >>> CCIE #19860 (R&S, Security) >>> >>> >>> >>> 2010/1/25 Kingsley Charles <[email protected]> >>> >>> Hi Piotr >>> >>> >>> >>> I did try that before sending this mail. The traceroute just prints "*" >>> and no Ip addresses are present. >>> >>> >>> >>> How can you traceroute to an unstranslated IP address from a lower >>> security level interface. >>> >>> >>> >>> >>> >>> With regards >>> >>> Kings >>> >>> On Mon, Jan 25, 2010 at 2:51 PM, Piotr Matusiak <[email protected]> wrote: >>> >>> Hi, >>> >>> You must traceroute private (untranslated) IP address of the host in the >>> inside network to see the difference. >>> >>> For example: >>> >>> (lo0)R1 -10.1.1.0- (out)ASA(in) -10.2.2.0- R2(lo0) >>> >>> Assuming you have the following translation on the ASA: >>> static (in,out) 10.1.1.99 10.2.2.2 >>> >>> Run the following command on R1: >>> traceroute <R2-lo0> >>> >>> You will see that ASA translates ICMP time-exceeded or unreachable IP >>> address to 10.1.1.99 (if you have icmp error inspection enabled). If not, >>> you will see untranslated IP address of R2 (10.2.2.2). >>> >>> >>> HTH, >>> Piotr Matusiak >>> >>> >>> 2010/1/25 Kingsley Charles <[email protected]> >>> >>> Hi all >>> >>> >>> >>> Can someone please let me know, where would we actually use "inspect icmp >>> error". I am not getting the right explanation. >>> >>> >>> >>> >>> http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/i2.html#wp1726194 >>> >>> >>> >>> >>> >>> With inspect icmp error enabled, I tried to IOS traceroute from outside >>> to a host behind the ASA. With "set connection decrement-ttl", the internel >>> address is revealed. >>> >>> >>> >>> Do we use "inspect icmp error", to reveal the actual internal IP address? >>> >>> >>> >>> >>> >>> >>> >>> With regards >>> >>> Kings >>> >>> >>> >>> _______________________________________________ >>> For more information regarding industry leading CCIE Lab training, please >>> visit www.ipexpert.com >>> >>> >>> >>> >>> >>> >>> >>> >>> >> >> >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com >> >> >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
