Sumit There are two cases that we should handle with traceroute with refence to ASA.
Inside to outside Outside to inisde When you initiate a traceroute from ASA inside, you need to allow the following in the inbound ACL of the outside interface of the ASA. Unix based permit icmp any any eq time-exceeded permit icmp any any eq unreachable ICMP based permit icmp any any eq time-exceeded permit icmp any any eq echo-reply When you initiate from outside the ASA Unix based permit udp any any range 33434 33464 ICMP based permit icmp any any echo - icmp based trace route With regards Kings On Tue, May 11, 2010 at 5:04 PM, Sumit Mahla <[email protected]> wrote: > ciscoasa(config)# sh run access-list > access-list OUTSIDE-NAT-1 extended permit ip host 202.2.2.2 host > 11.11.11.11 > access-list OUTSIDE-NAT-2 extended permit ip host 202.2.2.2 host > 10.11.11.11 > > access-list OUT extended permit icmp host 202.2.2.2 host 10.11.11.11 > access-list OUT extended permit icmp host 202.2.2.2 host 11.11.11.11 > access-list OUT extended permit icmp any any echo > access-list OUT extended permit icmp any any echo-reply > > access-list OUT extended permit icmp any any time-exceeded > access-list OUT extended permit icmp any any unreachable > access-list OUT extended permit udp any any range 33434 33464 > > > > R2#traceroute 11.11.11.11 > Type escape sequence to abort. > Tracing the route to 11.11.11.11 > 1 11.11.11.11 0 msec * 0 msec > 2 11.11.11.11 0 msec * 0 msec > R2#traceroute 10.22.22.1 > Type escape sequence to abort. > Tracing the route to 10.22.22.1 > 1 10.22.22.1 0 msec * 0 msec > 2 10.22.22.1 0 msec * 0 msec > R2# > > > It is still not showing ASA as a hop..... > > > > > ------------------------------ > Date: Tue, 11 May 2010 16:48:01 +0530 > Subject: Re: [OSL | CCIE_Security] ASA to show as Traceroute Hop > From: [email protected] > > To: [email protected] > CC: [email protected] > > Hello Sumit, > I see that on your outside interface you are using an ACL called "OUT". > Cisco uses Unix style traceroute , i.e for the traceroute, the outside > router would send out UDP messages with incrememnting TTL values to ports > 33434 - 33464 ( incrememnting 3 times per hop , i think ) . Since the ACL > does not permit this traffic, traceroute messages from the outside are being > blocked by the ASA before it can even process them. So i would suggest > adding the following line to the outside ACL > "permit udp any any range 33434 33464 " > Let me know if this improves anything? > Cheers, > TacACK > > > On Tue, May 11, 2010 at 4:23 PM, Sumit Mahla <[email protected]>wrote: > > With the below config the traceroute from ASA's inside to outside works but > not from outside to inside.... > > can somebody please suggest...? > > > > ------------------------------ > From: [email protected] > To: [email protected] > Date: Tue, 11 May 2010 15:59:52 +0530 > Subject: [OSL | CCIE_Security] ASA to show as Traceroute Hop > > > > > Hello All, > > > If i do the following config.. on ASA.... > > > class-map TRACE > match any > > > policy-map global_policy > class inspection_default > inspect dns preset_dns_map > inspect ftp > inspect h323 h225 > inspect h323 ras > inspect rsh > inspect rtsp > inspect esmtp > inspect sqlnet > inspect skinny > inspect sunrpc > inspect xdmcp > inspect sip > inspect netbios > inspect tftp > class TRACE > set connection decrement-ttl > > > access-list OUT extended permit icmp host 202.2.2.2 host 10.11.11.11 > access-list OUT extended permit icmp host 202.2.2.2 host 11.11.11.11 > access-list OUT extended permit icmp any any time-exceeded > access-list OUT extended permit icmp any any unreachable > > ciscoasa(config)# sh run access-group > access-group OUT in interface Outside > ciscoasa(config)# > > > > Still the ASA is not showing up as a HOP in traceroute... i am doing > traceroute from a router towards a router on the inside of ASA > > > Am i missng something? > > > > ------------------------------ > The latest auto launches and test drives Drag n' > drop<http://autos.in.msn.com/> > > ------------------------------ > The battle for the FIH Hockey World Cup Drag n' > drop<http://specials.msn.co.in/sp10/hockey/index.aspx> > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > > > ------------------------------ > The latest auto launches and test drives Drag n' > drop<http://autos.in.msn.com/> > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
