Re: [OSL | CCIE_Security] ASA to show as Traceroute Hop

[Sumit Mahla]

Thanks...

 

Here is the config....

 

ciscoasa(config)#
ciscoasa(config)# sh run
: Saved
:
ASA Version 8.2(1)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2s9Ta9L7fM5sD87b encrypted
names
!
interface Ethernet0/0
 mac-address 0001.0002.0003 standby 0011.0022.0033
 nameif Outside
 security-level 0
 ip address 192.1.22.10 255.255.255.0 standby 192.1.22.11
!
interface Ethernet0/1
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/2
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 description LAN/STATE Failover Interface
!
interface Management0/0
 shutdown
 no nameif
 no security-level
 no ip address
 management-only
!
interface Redundant1
 member-interface Ethernet0/1
 member-interface Ethernet0/2
 mac-address 0004.0005.0006 standby 0044.0055.0066
 nameif Inside
 security-level 100
 allow-ssc-mgmt
 ip address 10.22.22.10 255.255.255.0 standby 10.22.22.11
!
ftp mode passive
access-list OUTSIDE-NAT-1 extended permit ip host 202.2.2.2 host 11.11.11.11
access-list OUTSIDE-NAT-2 extended permit ip host 202.2.2.2 host 10.11.11.11
access-list OUT extended permit icmp host 202.2.2.2 host 10.11.11.11
access-list OUT extended permit icmp host 202.2.2.2 host 11.11.11.11
access-list OUT extended permit icmp any any echo
access-list OUT extended permit icmp any any echo-reply
access-list OUT extended permit icmp any any time-exceeded
access-list OUT extended permit icmp any any unreachable
access-list OUT extended permit udp any any range 33434 33464
access-list OUT extended permit icmp any any
pager lines 24
mtu Inside 1500
mtu Outside 1500
failover
failover lan unit primary
failover lan interface Failover Ethernet0/3
failover key *****
failover link Failover Ethernet0/3
failover interface ip Failover 10.100.100.10 255.255.255.0 standby 10.100.100.11
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (Outside) 1 192.1.22.51-192.1.22.99
global (Outside) 1 192.1.22.101
nat (Inside) 1 10.11.11.0 255.255.255.0
nat (Inside) 1 10.22.22.0 255.255.255.0
nat (Inside) 1 11.0.0.0 255.0.0.0
static (Inside,Outside) 192.1.22.100 10.11.11.25 netmask 255.255.255.255
static (Inside,Outside) 11.11.11.11 11.11.11.11 netmask 255.255.255.255
static (Outside,Inside) 10.22.22.202  access-list OUTSIDE-NAT-1
static (Outside,Inside) 10.22.22.222  access-list OUTSIDE-NAT-2
access-group OUT in interface Outside
!
router ospf 1
 network 192.1.22.0 255.255.255.0 area 0
 log-adj-changes
!
route Inside 10.11.11.0 255.255.255.0 10.22.22.1 1
route Inside 11.0.0.0 255.0.0.0 10.22.22.1 1
route Outside 202.2.2.2 255.255.255.255 192.1.22.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
service resetoutside
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 10.22.22.1 255.255.255.255 Inside
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map TRACE
 match any
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map type inspect esmtp MAIL
 parameters
 match header to-fields count gt 20
policy-map type inspect ipsec-pass-thru IPSEC
 parameters
  esp per-client-max 15
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect esmtp MAIL
  inspect ipsec-pass-thru IPSEC
 class TRACE
  set connection decrement-ttl
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:5493fe62f85520132924749056cb8796
: end
ciscoasa(config)#


 

 

 

R2#traceroute 11.11.11.11

Type escape sequence to abort.
Tracing the route to 11.11.11.11

  1 11.11.11.11 4 msec *  0 msec
  2 11.11.11.11 0 msec *  0 msec
R2#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

O E2 16.0.0.0/8 [110/20] via 192.1.25.5, 02:42:19, Serial0/1/0.5
O E2 192.1.31.0/24 [110/20] via 192.1.25.5, 02:42:09, Serial0/1/0.5
O E2 33.0.0.0/8 [110/20] via 192.1.25.5, 02:42:09, Serial0/1/0.5
O    55.0.0.0/8 [110/65] via 192.1.25.5, 02:42:19, Serial0/1/0.5
C    202.2.2.0/24 is directly connected, Loopback200
C    192.1.25.0/24 is directly connected, Serial0/1/0.5
C    192.1.24.0/24 is directly connected, Serial0/1/0.4
O    192.1.40.0/24 [110/65] via 192.1.24.4, 02:42:29, Serial0/1/0.4
C    22.0.0.0/8 is directly connected, Loopback0
C    192.1.26.0/24 is directly connected, Serial0/1/0.6
O    192.1.66.0/24 [110/65] via 192.1.26.6, 02:42:10, Serial0/1/0.6
     10.0.0.0/32 is subnetted, 2 subnets
S       10.11.11.11 [1/0] via 192.1.22.10
S       10.22.22.1 [1/0] via 192.1.22.10
     192.168.23.0/30 is subnetted, 1 subnets
C       192.168.23.4 is directly connected, Tunnel2323
C    192.1.22.0/24 is directly connected, GigabitEthernet0/0
     11.0.0.0/32 is subnetted, 1 subnets
S       11.11.11.11 [1/0] via 192.1.22.10
C    192.168.22.0/24 is directly connected, Loopback23
O E2 192.1.35.0/24 [110/20] via 192.1.25.5, 02:42:22, Serial0/1/0.5
O E2 192.1.32.0/24 [110/20] via 192.1.25.5, 02:42:12, Serial0/1/0.5
     44.0.0.0/32 is subnetted, 1 subnets
O       44.44.44.44 [110/65] via 192.1.24.4, 02:42:32, Serial0/1/0.4
D    192.168.33.0/24 [90/27008000] via 192.168.23.6, 00:03:39, Tunnel2323
O E2 15.0.0.0/8 [110/20] via 192.1.25.5, 02:42:22, Serial0/1/0.5
R2#


 

 


 


Date: Tue, 11 May 2010 17:44:34 +0530
Subject: Re: [OSL | CCIE_Security] ASA to show as Traceroute Hop
From: tac...@tacack.com
To: sumitma...@hotmail.com
CC: ccie_security@onlinestudylist.com


Here’s my toplogy
 
R2 ( 136.1.121.2 ) -------- (136.1.121.12 )  ASA 1  (136.1.122.12 ) ----- 
(136.1.122.1 ) R1
 
Here is the ASA config :

----------------------
 
hostname ASA1
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0
 nameif outside
 security-level 0
 ip address 136.1.122.12 255.255.255.0
!
interface Ethernet1
 nameif inside
 security-level 100
 ip address 136.1.121.12 255.255.255.0
!
interface Ethernet2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet4
 shutdown
 no nameif
 no security-level
 no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list OUTSIDE_IN extended permit icmp any any echo
access-list OUTSIDE_IN extended permit icmp any any echo-reply
access-list OUTSIDE_IN extended permit icmp any any time-exceeded
access-list OUTSIDE_IN extended permit icmp any any unreachable
access-list OUTSIDE_IN extended permit udp any any range 33434 33464
pager lines 24
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
access-group OUTSIDE_IN in interface outside
!
router rip
 network 136.1.0.0
 version 2
 no auto-summary
!
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
!
class-map traceroute
 match any
!
!
policy-map traceroute
 class traceroute
  set connection decrement-ttl
!
 
 
When I try to do a traceroute from the outside to the inside, it succeeds.
 
R1#traceroute 136.1.121.2
 
Type escape sequence to abort.
Tracing the route to 136.1.121.2
 
  1 136.1.121.12 24 msec 36 msec *
  2 136.1.121.2 60 msec 76 msec *
 
Could you post the full ASA config?



On Tue, May 11, 2010 at 5:40 PM, Sumit Mahla <sumitma...@hotmail.com> wrote:


Thanks Kings...
 

 


Date: Tue, 11 May 2010 17:36:49 +0530 

Subject: Re: [OSL | CCIE_Security] ASA to show as Traceroute Hop
From: kingsley.char...@gmail.com
To: sumitma...@hotmail.com
CC: tac...@tacack.com; ccie_security@onlinestudylist.com 





Sumit
 
There are two cases that we should handle with traceroute with refence to ASA.
 
Inside to outside
Outside to inisde 
 
 
When you initiate a traceroute from ASA inside, you need to allow the following 
in the inbound ACL of the outside interface of the ASA.
 
Unix based
 
permit icmp any any eq time-exceeded
permit icmp any any eq unreachable
 
ICMP based 
 

permit icmp any any eq time-exceeded
permit icmp any any eq echo-reply
 
 
When you initiate from outside the ASA 
 
Unix based
 
permit udp any any range 33434 33464 
 
ICMP based 
 

permit icmp any any echo - icmp based trace route
 
 
 
 
With regards
Kings


On Tue, May 11, 2010 at 5:04 PM, Sumit Mahla <sumitma...@hotmail.com> wrote:


ciscoasa(config)# sh run access-list
access-list OUTSIDE-NAT-1 extended permit ip host 202.2.2.2 host 11.11.11.11
access-list OUTSIDE-NAT-2 extended permit ip host 202.2.2.2 host 10.11.11.11 

access-list OUT extended permit icmp host 202.2.2.2 host 10.11.11.11
access-list OUT extended permit icmp host 202.2.2.2 host 11.11.11.11
access-list OUT extended permit icmp any any echo
access-list OUT extended permit icmp any any echo-reply 

access-list OUT extended permit icmp any any time-exceeded
access-list OUT extended permit icmp any any unreachable
access-list OUT extended permit udp any any range 33434 33464

 
 
R2#traceroute 11.11.11.11
Type escape sequence to abort.
Tracing the route to 11.11.11.11
  1 11.11.11.11 0 msec *  0 msec
  2 11.11.11.11 0 msec *  0 msec
R2#traceroute 10.22.22.1
Type escape sequence to abort.
Tracing the route to 10.22.22.1
  1 10.22.22.1 0 msec *  0 msec
  2 10.22.22.1 0 msec *  0 msec
R2#

 
It is still not showing ASA as a hop..... 

 

 


Date: Tue, 11 May 2010 16:48:01 +0530
Subject: Re: [OSL | CCIE_Security] ASA to show as Traceroute Hop
From: tac...@tacack.com 

To: sumitma...@hotmail.com
CC: ccie_security@onlinestudylist.com




Hello Sumit,
I see that on your outside interface you are using an ACL called "OUT".
Cisco uses Unix style traceroute , i.e for the traceroute, the outside router 
would send out UDP messages with incrememnting TTL values to ports 33434 - 
33464 ( incrememnting 3 times per hop , i think ) . Since the ACL does not 
permit this traffic, traceroute messages from the outside are being blocked by 
the ASA before it can even process them. So i would suggest adding the 
following line to the outside ACL
"permit udp any any range 33434 33464 "
Let me know if this improves anything?
Cheers,
TacACK



On Tue, May 11, 2010 at 4:23 PM, Sumit Mahla <sumitma...@hotmail.com> wrote:


With the below config the traceroute from ASA's inside to outside works but not 
from outside to inside.... 


can somebody please suggest...?







From: sumitma...@hotmail.com
To: ccie_security@onlinestudylist.com
Date: Tue, 11 May 2010 15:59:52 +0530
Subject: [OSL | CCIE_Security] ASA to show as Traceroute Hop 









Hello All,




If i do the following config.. on ASA.... 





class-map TRACE
 match any





policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
 class TRACE
  set connection decrement-ttl





access-list OUT extended permit icmp host 202.2.2.2 host 10.11.11.11
access-list OUT extended permit icmp host 202.2.2.2 host 11.11.11.11
access-list OUT extended permit icmp any any time-exceeded
access-list OUT extended permit icmp any any unreachable



ciscoasa(config)# sh run access-group
access-group OUT in interface Outside
ciscoasa(config)#






Still the ASA is not showing up as a HOP in traceroute... i am doing traceroute 
from a router towards a router on the inside of ASA




Am i missng something?






The latest auto launches and test drives Drag n' drop



The battle for the FIH Hockey World Cup Drag n' drop
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com





The latest auto launches and test drives Drag n' drop
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com





The battle for the FIH Hockey World Cup Drag n' drop
                                          
_________________________________________________________________
Climate, controversies and the changing signatures of nature
http://green.in.msn.com/
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com