[c-nsp] traceroute from ASA with source IP from inside interface

[Nick Cutting]

Traceroutes from ASA / routers use UDP not ICMP

You can "inspect ICMP error" as well as allow the ICMP and UDP traceroute versions of the message you need - this is my traceroute config I use on client contexts:

Note these firewalls are non-internet facing so security is less important to me than troubleshooting.

access-list outside_access_in extended permit icmp any any unreachable 
access-list outside_access_in extended permit icmp any any traceroute 
access-list outside_access_in extended permit icmp any any time-exceeded

policy-map global_policy
 class inspection_default
  inspect icmp 
  inspect icmp error


-----Original Message-----
From: cisco-nsp [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of "Rolf Hanßen"
Sent: 16 March 2016 10:58
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] traceroute from ASA with source IP from inside interface

Hi,

I am new to ASA and wondering about the traceroute (and ping) behaviour.
I wanted to trace/ping with the IP address of the internal interface, but anything I try results in stars:

ASA# traceroute 8.8.8.8 source inside

Type escape sequence to abort.
Tracing the route to 8.8.8.8

 1   *  *  *
 2   *  *  *

Tracing without setting a source (or "source outside") works fine.
I create a rule for the internal interface towards dst any service ip.
There is also a rule on the outside interface to allow icmp.
I replace "inside" with the IP.
Traceroutes from servers attached to the inside interface work fine.

There is no control plane policy set.

Is this a bug or some strange "security feature"?
Is there another part that maybe filters such traffic?
In the management access section I see only https/asdm/ssh/telnet.

Maybe somebody can explain.

kind regards
Rolf


_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/