Re: [OSL | CCIE_Security] ASA to show as Traceroute Hop

[Sumit Mahla]

Thanks Kings...

 


 


Date: Tue, 11 May 2010 17:36:49 +0530
Subject: Re: [OSL | CCIE_Security] ASA to show as Traceroute Hop
From: kingsley.char...@gmail.com
To: sumitma...@hotmail.com
CC: tac...@tacack.com; ccie_security@onlinestudylist.com


Sumit
 
There are two cases that we should handle with traceroute with refence to ASA.
 
Inside to outside
Outside to inisde 
 
 
When you initiate a traceroute from ASA inside, you need to allow the following 
in the inbound ACL of the outside interface of the ASA.
 
Unix based
 
permit icmp any any eq time-exceeded
permit icmp any any eq unreachable
 
ICMP based 
 

permit icmp any any eq time-exceeded
permit icmp any any eq echo-reply
 
 
When you initiate from outside the ASA 
 
Unix based
 
permit udp any any range 33434 33464 
 
ICMP based 
 

permit icmp any any echo - icmp based trace route
 
 
 
 
With regards
Kings


On Tue, May 11, 2010 at 5:04 PM, Sumit Mahla <sumitma...@hotmail.com> wrote:


ciscoasa(config)# sh run access-list
access-list OUTSIDE-NAT-1 extended permit ip host 202.2.2.2 host 11.11.11.11
access-list OUTSIDE-NAT-2 extended permit ip host 202.2.2.2 host 10.11.11.11 

access-list OUT extended permit icmp host 202.2.2.2 host 10.11.11.11
access-list OUT extended permit icmp host 202.2.2.2 host 11.11.11.11
access-list OUT extended permit icmp any any echo
access-list OUT extended permit icmp any any echo-reply 

access-list OUT extended permit icmp any any time-exceeded
access-list OUT extended permit icmp any any unreachable
access-list OUT extended permit udp any any range 33434 33464

 
 
R2#traceroute 11.11.11.11
Type escape sequence to abort.
Tracing the route to 11.11.11.11
  1 11.11.11.11 0 msec *  0 msec
  2 11.11.11.11 0 msec *  0 msec
R2#traceroute 10.22.22.1
Type escape sequence to abort.
Tracing the route to 10.22.22.1
  1 10.22.22.1 0 msec *  0 msec
  2 10.22.22.1 0 msec *  0 msec
R2#

 
It is still not showing ASA as a hop..... 

 

 


Date: Tue, 11 May 2010 16:48:01 +0530
Subject: Re: [OSL | CCIE_Security] ASA to show as Traceroute Hop
From: tac...@tacack.com 

To: sumitma...@hotmail.com
CC: ccie_security@onlinestudylist.com




Hello Sumit,
I see that on your outside interface you are using an ACL called "OUT".
Cisco uses Unix style traceroute , i.e for the traceroute, the outside router 
would send out UDP messages with incrememnting TTL values to ports 33434 - 
33464 ( incrememnting 3 times per hop , i think ) . Since the ACL does not 
permit this traffic, traceroute messages from the outside are being blocked by 
the ASA before it can even process them. So i would suggest adding the 
following line to the outside ACL
"permit udp any any range 33434 33464 "
Let me know if this improves anything?
Cheers,
TacACK



On Tue, May 11, 2010 at 4:23 PM, Sumit Mahla <sumitma...@hotmail.com> wrote:


With the below config the traceroute from ASA's inside to outside works but not 
from outside to inside.... 


can somebody please suggest...?







From: sumitma...@hotmail.com
To: ccie_security@onlinestudylist.com
Date: Tue, 11 May 2010 15:59:52 +0530
Subject: [OSL | CCIE_Security] ASA to show as Traceroute Hop 









Hello All,




If i do the following config.. on ASA.... 





class-map TRACE
 match any





policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
 class TRACE
  set connection decrement-ttl





access-list OUT extended permit icmp host 202.2.2.2 host 10.11.11.11
access-list OUT extended permit icmp host 202.2.2.2 host 11.11.11.11
access-list OUT extended permit icmp any any time-exceeded
access-list OUT extended permit icmp any any unreachable



ciscoasa(config)# sh run access-group
access-group OUT in interface Outside
ciscoasa(config)#






Still the ASA is not showing up as a HOP in traceroute... i am doing traceroute 
from a router towards a router on the inside of ASA




Am i missng something?






The latest auto launches and test drives Drag n' drop



The battle for the FIH Hockey World Cup Drag n' drop
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com





The latest auto launches and test drives Drag n' drop
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com


                                          
_________________________________________________________________
Bollywood This Decade
http://entertainment.in.msn.com/bollywoodthisdecade/
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com