Here’s my toplogy R2 ( 136.1.121.2 ) -------- (136.1.121.12 ) ASA 1 (136.1.122.12 ) ----- (136.1.122.1 ) R1
Here is the ASA config : ---------------------- hostname ASA1 enable password 8Ry2YjIyt7RRXU24 encrypted names ! interface Ethernet0 nameif outside security-level 0 ip address 136.1.122.12 255.255.255.0 ! interface Ethernet1 nameif inside security-level 100 ip address 136.1.121.12 255.255.255.0 ! interface Ethernet2 shutdown no nameif no security-level no ip address ! interface Ethernet3 shutdown no nameif no security-level no ip address ! interface Ethernet4 shutdown no nameif no security-level no ip address ! passwd 2KFQnbNIdI.2KYOU encrypted ftp mode passive access-list OUTSIDE_IN extended permit icmp any any echo access-list OUTSIDE_IN extended permit icmp any any echo-reply access-list OUTSIDE_IN extended permit icmp any any time-exceeded access-list OUTSIDE_IN extended permit icmp any any unreachable access-list OUTSIDE_IN extended permit udp any any range 33434 33464 pager lines 24 mtu inside 1500 mtu outside 1500 icmp unreachable rate-limit 1 burst-size 1 no asdm history enable arp timeout 14400 access-group OUTSIDE_IN in interface outside ! router rip network 136.1.0.0 version 2 no auto-summary ! timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout uauth 0:05:00 absolute dynamic-access-policy-record DfltAccessPolicy no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart telnet timeout 5 ssh timeout 5 console timeout 0 threat-detection basic-threat threat-detection statistics access-list ! class-map traceroute match any ! ! policy-map traceroute class traceroute set connection decrement-ttl ! When I try to do a traceroute from the outside to the inside, it succeeds. R1#traceroute 136.1.121.2 Type escape sequence to abort. Tracing the route to 136.1.121.2 1 136.1.121.12 24 msec 36 msec * 2 136.1.121.2 60 msec 76 msec * Could you post the full ASA config? On Tue, May 11, 2010 at 5:40 PM, Sumit Mahla <[email protected]> wrote: > Thanks Kings... > > > > ------------------------------ > Date: Tue, 11 May 2010 17:36:49 +0530 > > Subject: Re: [OSL | CCIE_Security] ASA to show as Traceroute Hop > From: [email protected] > To: [email protected] > CC: [email protected]; [email protected] > > > Sumit > > There are two cases that we should handle with traceroute with refence to > ASA. > > Inside to outside > Outside to inisde > > > When you initiate a traceroute from ASA inside, you need to allow the > following in the inbound ACL of the outside interface of the ASA. > > Unix based > > permit icmp any any eq time-exceeded > permit icmp any any eq unreachable > > ICMP based > > permit icmp any any eq time-exceeded > permit icmp any any eq echo-reply > > > When you initiate from outside the ASA > > Unix based > > permit udp any any range 33434 33464 > > ICMP based > > > permit icmp any any echo - icmp based trace route > > > > > With regards > Kings > > On Tue, May 11, 2010 at 5:04 PM, Sumit Mahla <[email protected]>wrote: > > ciscoasa(config)# sh run access-list > access-list OUTSIDE-NAT-1 extended permit ip host 202.2.2.2 host > 11.11.11.11 > access-list OUTSIDE-NAT-2 extended permit ip host 202.2.2.2 host > 10.11.11.11 > > access-list OUT extended permit icmp host 202.2.2.2 host 10.11.11.11 > access-list OUT extended permit icmp host 202.2.2.2 host 11.11.11.11 > access-list OUT extended permit icmp any any echo > access-list OUT extended permit icmp any any echo-reply > > access-list OUT extended permit icmp any any time-exceeded > access-list OUT extended permit icmp any any unreachable > access-list OUT extended permit udp any any range 33434 33464 > > > > R2#traceroute 11.11.11.11 > Type escape sequence to abort. > Tracing the route to 11.11.11.11 > 1 11.11.11.11 0 msec * 0 msec > 2 11.11.11.11 0 msec * 0 msec > R2#traceroute 10.22.22.1 > Type escape sequence to abort. > Tracing the route to 10.22.22.1 > 1 10.22.22.1 0 msec * 0 msec > 2 10.22.22.1 0 msec * 0 msec > R2# > > > It is still not showing ASA as a hop..... > > > > > ------------------------------ > Date: Tue, 11 May 2010 16:48:01 +0530 > Subject: Re: [OSL | CCIE_Security] ASA to show as Traceroute Hop > From: [email protected] > > To: [email protected] > CC: [email protected] > > Hello Sumit, > I see that on your outside interface you are using an ACL called "OUT". > Cisco uses Unix style traceroute , i.e for the traceroute, the outside > router would send out UDP messages with incrememnting TTL values to ports > 33434 - 33464 ( incrememnting 3 times per hop , i think ) . Since the ACL > does not permit this traffic, traceroute messages from the outside are being > blocked by the ASA before it can even process them. So i would suggest > adding the following line to the outside ACL > "permit udp any any range 33434 33464 " > Let me know if this improves anything? > Cheers, > TacACK > > > On Tue, May 11, 2010 at 4:23 PM, Sumit Mahla <[email protected]>wrote: > > With the below config the traceroute from ASA's inside to outside works but > not from outside to inside.... > > can somebody please suggest...? > > > > ------------------------------ > From: [email protected] > To: [email protected] > Date: Tue, 11 May 2010 15:59:52 +0530 > Subject: [OSL | CCIE_Security] ASA to show as Traceroute Hop > > > > > Hello All, > > > If i do the following config.. on ASA.... > > > class-map TRACE > match any > > > policy-map global_policy > class inspection_default > inspect dns preset_dns_map > inspect ftp > inspect h323 h225 > inspect h323 ras > inspect rsh > inspect rtsp > inspect esmtp > inspect sqlnet > inspect skinny > inspect sunrpc > inspect xdmcp > inspect sip > inspect netbios > inspect tftp > class TRACE > set connection decrement-ttl > > > access-list OUT extended permit icmp host 202.2.2.2 host 10.11.11.11 > access-list OUT extended permit icmp host 202.2.2.2 host 11.11.11.11 > access-list OUT extended permit icmp any any time-exceeded > access-list OUT extended permit icmp any any unreachable > > ciscoasa(config)# sh run access-group > access-group OUT in interface Outside > ciscoasa(config)# > > > > Still the ASA is not showing up as a HOP in traceroute... i am doing > traceroute from a router towards a router on the inside of ASA > > > Am i missng something? > > > > ------------------------------ > The latest auto launches and test drives Drag n' > drop<http://autos.in.msn.com/> > > ------------------------------ > The battle for the FIH Hockey World Cup Drag n' > drop<http://specials.msn.co.in/sp10/hockey/index.aspx> > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > > > ------------------------------ > The latest auto launches and test drives Drag n' > drop<http://autos.in.msn.com/> > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > > > ------------------------------ > The battle for the FIH Hockey World Cup Drag n' > drop<http://specials.msn.co.in/sp10/hockey/index.aspx> >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
