|
Author
|
Topic: show ASA in traceroute output
|
peterrayan
Member
Member # 30030
Rate Member
|
posted September 02, 2010 08:46 AM
how to configure my ASA to appear as a hop in the traceroute output, which is not by default? any idea? thanks.
Posts: 15 | From: Dubai | Registered: Aug 2010
| IP: Logged
|
|
The Mongoose
Elite
Member # 28888
Rate Member
|
posted September 02, 2010 12:34 PM
By default the ASA will not decrement the ttl for ICMP packets, I tried this and it worked
policy-map global_policy
class <class> (you can use class-default if lazy)
set connection decrement-ttl
Also ASA will rate-limit icmp unreachables so:
icmp unreachable 3 burst 3
and it should work.
I've tried it with Cisco IOS traceroute (UDP 33434 >+) and it also works.
-M-
Posts: 307 | From: Canada | Registered: Sep 2009
| IP: Logged
|
|
Gurupai12
Newbie
Member # 30014
|
posted September 02, 2010 08:25 PM
class inspection_default cannot be used to set the decrement ttl. You will get an error message that only inspect is allowed under default.
From what i remember (did it quite some time ago),You need a separate class-map which you need to call under policy-map global_policy.
Posts: 3 | From: Bangalore | Registered: Aug 2010
| IP: Logged
|
|
Kingsley Charles (CCSP, CCNP, CCIP)
Brainiac
Member # 29872
Member Rated:
|
posted September 03, 2010 01:53 AM
The warning will be given only when you apply for class with 'match default-inspection traffic'.
Under class class-default you will not get the error. Please have a look below:
asa1(config-pmap-c)# policy-map global_policy
asa1(config-pmap)# class inspection_default
asa1(config-pmap-c)# set CONnection DEcrement-ttl
ERROR: Only 'inspect' action is allowed for the class with 'match default-inspec
tion-traffic'.
asa1(config-pmap-c)# POLicE INput 56000
ERROR: Only 'inspect' action is allowed for the class with 'match default-inspec
tion-traffic'.
With regards
Kings
Posts: 887 | From: India | Registered: Jun 2010
| IP: Logged
|
|
The Mongoose
Elite
Member # 28888
Rate Member
|
posted September 03, 2010 01:52 PM
Correct, that's why I mentioned class-default, not class inspection_default.
![[Smile]](smile.gif)
Posts: 307 | From: Canada | Registered: Sep 2009
| IP: Logged
|
|
sickMonkey
Guru
Member # 19276
Member Rated:
|
posted September 14, 2010 12:53 PM
This is correct. Here is an example.
policy-map global_policy
class inspection_default
class class-default
set connection decrement-ttl
Before
Rack1R1#traceroute 136.1.122.2
Type escape sequence to abort.
Tracing the route to 136.1.122.2
1 136.1.122.2 0 msec * 0 msec
After
Rack1R1#traceroute 136.1.122.2
Type escape sequence to abort.
Tracing the route to 136.1.122.2
1 136.1.122.12 4 msec * 0 msec
2 136.1.122.2 4 msec * 0 msec
Rack1R1#
Posts: 133 | From: Denver | Registered: Jun 2006
| IP: Logged
|
|
CCIE_Sec_Hunt
Elite
Member # 28511
Member Rated:
|
posted September 14, 2010 01:02 PM
Best way to config those Inspection and Default Classes is to run command
show run policy-map global_policy
that way you will notice what are factory defaults already there. just copy n paste then modify them according to your need.
Most of Layer 7 inspections goes under
class inspection_default
and rest normal classes goes under
class class-default or your own defined class under global_policy.
I hope it helps!
Posts: 372 | From: UK | Registered: Jun 2009
| IP: Logged
|
|
Mohammed Riyazuddin
Jr Member
Member # 26561
Rate Member
|
posted March 04, 2011 02:07 PM
I too tried and its working fine. Please find the config below:
=============
class-map trace
match any
exit
!
policy-map global_policy
class trace
set connection decrement-ttl
exit
exit
access-list O_I permit udp any any range 33434 33466
!
What if the question says do not use any ACL command to accomplish these ?
Posts: 8 | From: Saudi Arabia | Registered: Aug 2008
| IP: Logged
|
|
bor2tobeccie
Jr Member
Member # 30370
Rate Member
|
posted March 05, 2011 07:02 AM
Seems Like most of the Guys Here are giving lab 2nd time
I feel the Pain Brothers
Right Solution is
class-map TRACEROUTE
match port udp range 33434 33464
policy-map global_policy
class inspection_default
class TRACEROUTE
set connection decrement-ttl
Posts: 13 | From: france | Registered: Dec 2010
| IP: Logged
|
|
kamran shakil ccnp ccdp mcse
Guru
Member # 19061
Rate Member
|
posted March 05, 2011 08:50 PM
Posts: 153 | From: OMAN | Registered: May 2006
| IP: Logged
|
|
varun bahl
Member
Member # 28452
Rate Member
|
posted March 06, 2011 04:17 AM
Hey Born
Nice Work Mate You Found The Solution
Nice Nice
Best Of Luck for Your Exam Give me A Good News
Posts: 32 | From: india | Registered: May 2009
| IP: Logged
|
|
bor2tobeccie
Jr Member
Member # 30370
Rate Member
|
posted March 06, 2011 11:20 AM
Sir
You only Provide me this solution i just pasted it here
this time i am confident i will nail it and surely give you a good news
Posts: 13 | From: france | Registered: Dec 2010
| IP: Logged
|
|
Pushkar Bhatkoti
Brainiac
Member # 23144
Member Rated:
|
posted May 01, 2011 05:42 AM
whoop, i was labbing this up and noticed when I turned on the IP audit feature, it broke the traceroute functionality.
Do you all think - it would be good to consider adding this one line to avoid any possibility of breaking the existing traceroute configuration?
config t
ip audit signature 1102 disable
1102 = land attack which i saw in the asa logs.
after i added above line, traceroute functionality back to normal.
Posts: 860 | From: Sydney/Australia | Registered: Sep 2007
| IP: Logged
|
|
Parvees
Specialist
Member # 24144
Rate Member
|
posted May 01, 2011 07:52 AM
Push,
Yes that true , it will be considered as land attack and only way to get rid of this if you turned on audit feature and you want traceroute to work is disabling the signature ID.
Btw ,
when we normally allow traceroute
the output will come as
1 1 ms * 1 ms 10.10.10.1 (ASA IP)
until and unless you provide the following command
icmp unreachable rate-limit 10 burst-size 5 ( for example)
then the output will be
1 1 ms 1ms 1 ms 10.10.10.1 (ASA IP)
So if I were to receive a lab question that says to make sure traceroute will work through my ASA,.. Do we have to allow ICMP command as well.. doesnt this mean SUCCESSFUL traceroute? . Or just decrementing TTL would be enuf?
With regards,
Parvees
Posts: 96 | From: Dubai | Registered: Dec 2007
| IP: Logged
|
|
Pushkar Bhatkoti
Brainiac
Member # 23144
Member Rated:
|
posted May 15, 2011 07:34 PM
Agreed Parvees...with rate-limit on icmp
btw, below solution is incorrect as it only allows IN TO OUT traceroute functioning. It doens't allow OUT TO IN.
class-map TRACEROUTE
match port udp range 33434 33464
policy-map global_policy
class inspection_default
class TRACEROUTE
set connection decrement-ttl
So, what is the correct solution for both in2out and out2in?
---------Complete solution----------------
Just need an ACL from out2in.
access-list out2in ex permit udp any any range 33434 33464
access-group out2in in interface outside
class-map TRACEROUTE
match port udp range 33434 33464
policy-map global_policy
class inspection_default
class TRACEROUTE
set connection decrement-ttl
+ ICMP rate-limit - bump it up to 20 burst 10
---------end of complete solution-----------
Now that is the complete solution.
the output result will look like something:
----in2out---
1 9.9.3.2 0 msec 4 msec 0 msec
2 9.9.3.1 8 msec 4 msec 4 msec
3 9.9.2.2 4 msec * 0 msec
----out2in---
1 9.9.2.2 0 msec 4 msec 0 msec
2 9.9.3.1 8 msec 4 msec 4 msec
3 9.9.3.2 4 msec * 0 msec
Did you notice the last hop#3 ? why it's still "*"?
I think we should get rid of that * as well.
but how?, is that normal?
Posts: 860 | From: Sydney/Australia | Registered: Sep 2007
| IP: Logged
|
|
Kingsley Charles (CCSP, CCNP, CCIP)
Brainiac
Member # 29872
Member Rated:
|
posted May 15, 2011 10:11 PM
Getting "*" is normal right?
With regards
Kings
Posts: 887 | From: India | Registered: Jun 2010
| IP: Logged
|
|
Pushkar Bhatkoti
Brainiac
Member # 23144
Member Rated:
|
posted May 16, 2011 06:18 PM
>Getting "*" is normal right?
Not too sure about this. can someone confirm?
Hops are matching so this * is not participating in anything but I am also curious why and in what circumtances this * will appear like it has in our example.
Posts: 860 | From: Sydney/Australia | Registered: Sep 2007
| IP: Logged
|
|
UBBFriend: Email this page to someone!
Printer-friendly view of this topic