[c-nsp] traceroute from ASA with source IP from inside interface

Nick Cutting ncutting at edgetg.co.uk
Wed Mar 16 08:42:45 EDT 2016 

Sorry didn’t see you were trying to go across interfaces.

As George said - This is not allowed at all, even with inspect rules /acl allowing any.

There is ONE exceptions to this rule, and this is for VPN mgt of the firewall across the outside interface, to the inside.

Nick

From: George Giannousopoulos [mailto:ggiannou at gmail.com]
Sent: 16 March 2016 12:35
To: Rolf Hanßen
Cc: Nick Cutting; cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] traceroute from ASA with source IP from inside interface

Hi,

It's been a while since I tried that, but I think you are not allowed by default to ping an outside host using an inside interface as the source.

Each interface can successfully ping only on it's egress direction unless you change the rules.

--
George

On Wed, Mar 16, 2016 at 2:26 PM, "Rolf Hanßen" <nsp at rhanssen.de<mailto:nsp at rhanssen.de>> wrote:
Hi Nick,

the outgoing packets are UDP but the packets coming back schould be icmp
ttl expired, that is why I allowed icmp.

I just tried to allow anything and out without any change, so I guess this
is not rule-related at all.

Any other ideas?

kind regards
Rolf

> Traceroutes from ASA / routers use UDP not ICMP
>
> You can "inspect ICMP error" as well as allow the ICMP and UDP traceroute
> versions of the message you need - this is my traceroute config I use on
> client contexts:
>
> Note these firewalls are non-internet facing so security is less important
> to me than troubleshooting.
>
> access-list outside_access_in extended permit icmp any any unreachable
> access-list outside_access_in extended permit icmp any any traceroute
> access-list outside_access_in extended permit icmp any any time-exceeded
>
> policy-map global_policy
>  class inspection_default
>   inspect icmp
>   inspect icmp error
>
>
> -----Original Message-----
> From: cisco-nsp [mailto:cisco-nsp-bounces at puck.nether.net<mailto:cisco-nsp-bounces at puck.nether.net>] On Behalf Of
> "Rolf Hanßen"
> Sent: 16 March 2016 10:58
> To: cisco-nsp at puck.nether.net<mailto:cisco-nsp at puck.nether.net>
> Subject: [c-nsp] traceroute from ASA with source IP from inside interface
>
> Hi,
>
> I am new to ASA and wondering about the traceroute (and ping) behaviour.
> I wanted to trace/ping with the IP address of the internal interface, but
> anything I try results in stars:
>
> ASA# traceroute 8.8.8.8 source inside
>
> Type escape sequence to abort.
> Tracing the route to 8.8.8.8
>
>  1   *  *  *
>  2   *  *  *
>
> Tracing without setting a source (or "source outside") works fine.
> I create a rule for the internal interface towards dst any service ip.
> There is also a rule on the outside interface to allow icmp.
> I replace "inside" with the IP.
> Traceroutes from servers attached to the inside interface work fine.
>
> There is no control plane policy set.
>
> Is this a bug or some strange "security feature"?
> Is there another part that maybe filters such traffic?
> In the management access section I see only https/asdm/ssh/telnet.
>
> Maybe somebody can explain.
>
> kind regards
> Rolf
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net<mailto:cisco-nsp at puck.nether.net>
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>


_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net<mailto:cisco-nsp at puck.nether.net>
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list