[c-nsp] traceroute from ASA with source IP from inside interface

"Rolf Hanßen" nsp at rhanssen.de
Wed Mar 16 08:26:56 EDT 2016


Hi Nick,

the outgoing packets are UDP but the packets coming back schould be icmp
ttl expired, that is why I allowed icmp.

I just tried to allow anything and out without any change, so I guess this
is not rule-related at all.

Any other ideas?

kind regards
Rolf

> Traceroutes from ASA / routers use UDP not ICMP
>
> You can "inspect ICMP error" as well as allow the ICMP and UDP traceroute
> versions of the message you need - this is my traceroute config I use on
> client contexts:
>
> Note these firewalls are non-internet facing so security is less important
> to me than troubleshooting.
>
> access-list outside_access_in extended permit icmp any any unreachable
> access-list outside_access_in extended permit icmp any any traceroute
> access-list outside_access_in extended permit icmp any any time-exceeded
>
> policy-map global_policy
>  class inspection_default
>   inspect icmp
>   inspect icmp error
>
>
> -----Original Message-----
> From: cisco-nsp [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of
> "Rolf Hanßen"
> Sent: 16 March 2016 10:58
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] traceroute from ASA with source IP from inside interface
>
> Hi,
>
> I am new to ASA and wondering about the traceroute (and ping) behaviour.
> I wanted to trace/ping with the IP address of the internal interface, but
> anything I try results in stars:
>
> ASA# traceroute 8.8.8.8 source inside
>
> Type escape sequence to abort.
> Tracing the route to 8.8.8.8
>
>  1   *  *  *
>  2   *  *  *
>
> Tracing without setting a source (or "source outside") works fine.
> I create a rule for the internal interface towards dst any service ip.
> There is also a rule on the outside interface to allow icmp.
> I replace "inside" with the IP.
> Traceroutes from servers attached to the inside interface work fine.
>
> There is no control plane policy set.
>
> Is this a bug or some strange "security feature"?
> Is there another part that maybe filters such traffic?
> In the management access section I see only https/asdm/ssh/telnet.
>
> Maybe somebody can explain.
>
> kind regards
> Rolf
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>




More information about the cisco-nsp mailing list