[c-nsp] traceroute from ASA with source IP from inside interface
George Giannousopoulos
ggiannou at gmail.com
Wed Mar 16 08:34:43 EDT 2016
Hi,
It's been a while since I tried that, but I think you are not allowed by
default to ping an outside host using an inside interface as the source.
Each interface can successfully ping only on it's egress direction unless
you change the rules.
--
George
On Wed, Mar 16, 2016 at 2:26 PM, "Rolf Hanßen" <nsp at rhanssen.de> wrote:
> Hi Nick,
>
> the outgoing packets are UDP but the packets coming back schould be icmp
> ttl expired, that is why I allowed icmp.
>
> I just tried to allow anything and out without any change, so I guess this
> is not rule-related at all.
>
> Any other ideas?
>
> kind regards
> Rolf
>
> > Traceroutes from ASA / routers use UDP not ICMP
> >
> > You can "inspect ICMP error" as well as allow the ICMP and UDP traceroute
> > versions of the message you need - this is my traceroute config I use on
> > client contexts:
> >
> > Note these firewalls are non-internet facing so security is less
> important
> > to me than troubleshooting.
> >
> > access-list outside_access_in extended permit icmp any any unreachable
> > access-list outside_access_in extended permit icmp any any traceroute
> > access-list outside_access_in extended permit icmp any any time-exceeded
> >
> > policy-map global_policy
> > class inspection_default
> > inspect icmp
> > inspect icmp error
> >
> >
> > -----Original Message-----
> > From: cisco-nsp [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of
> > "Rolf Hanßen"
> > Sent: 16 March 2016 10:58
> > To: cisco-nsp at puck.nether.net
> > Subject: [c-nsp] traceroute from ASA with source IP from inside interface
> >
> > Hi,
> >
> > I am new to ASA and wondering about the traceroute (and ping) behaviour.
> > I wanted to trace/ping with the IP address of the internal interface, but
> > anything I try results in stars:
> >
> > ASA# traceroute 8.8.8.8 source inside
> >
> > Type escape sequence to abort.
> > Tracing the route to 8.8.8.8
> >
> > 1 * * *
> > 2 * * *
> >
> > Tracing without setting a source (or "source outside") works fine.
> > I create a rule for the internal interface towards dst any service ip.
> > There is also a rule on the outside interface to allow icmp.
> > I replace "inside" with the IP.
> > Traceroutes from servers attached to the inside interface work fine.
> >
> > There is no control plane policy set.
> >
> > Is this a bug or some strange "security feature"?
> > Is there another part that maybe filters such traffic?
> > In the management access section I see only https/asdm/ssh/telnet.
> >
> > Maybe somebody can explain.
> >
> > kind regards
> > Rolf
> >
> >
> > _______________________________________________
> > cisco-nsp mailing list cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
> >
>
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
More information about the cisco-nsp
mailing list