Solved

ASA 5505 Allows Pings but NOT Trace Route

Posted on 2010-09-03
18
5,813 Views
Last Modified: 2012-05-10
I looked around a lot before posting this question and most people couldn't Ping and the solutions were to fix that. My issue is really weird in my opinion. I can Ping from my workstation to Google or any outside address but can not traceroute.

I'm at a loss for what I've done wrong. I used to be able to Ping & Traceroute to any IP address I wanted. I really need the traceroute for monitoring whether or not our T1 providers are performing up to the SLA. We've had really horrible service with XO Communications and when we tried to cancel them they were going to charge us $27,000 in cancellation fees. I've only been working here for a couple months and am the first & only SysAdmin/Network Admin they've had. It's always been a couple of the developers who kinda knew networking who's done stuff and as you can imagine it's been a LOT of work cleaning & organizing everything into a smooth, well managed network.

Anyways to my question. I used to be able to Ping and Traceroute but our main ASA 5505 died and I had to re-configure a different device in it's place. Now for some reason I can ping anywhere in the cloud but traceroute stops at the inside interface. If I use the traceroute tool from the ASDM software if I use the source interface as outside it receives the traceroute info. However, if I run it from the inside it's blocked. The packet tracer tool says that it's getting blocked by an ACL but I have configured everything the same way as I had setup the original I'm quite sure.

So here's a screenshot of the Packet Tracer Utility. First is the one if I have it use the outside IP address that is successful. (I blurred the outside I/F IP address...)

Second is the Failed with the access list rule that says it's blocking it... It says the implicit rule: Deny any any IP. However in front of it it's allowing IP from any to any less secure network. So that shouldn't be stopping it.

Here is the relevant part of my configs with user accounts & hashes removed as well as IP addresses obviously changed. If you need more let me know. Thank you so much for your help ahead of time...

As you can see from the following I have tried adding rules allowing traceroute in many ways and none of them have worked.

object-group service rdp tcp
 description RDP
 port-object eq 3389
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
object-group service ICMP tcp-udp
 description Traceroute
 port-object range 33434 33534
object-group service UDPICMP udp
 description UDP ICMP
 port-object range 33434 33534
object-group service DM_INLINE_UDP_1 udp
 group-object UDPICMP
 port-object range 33434 33534
access-list 100 extended permit ip 10.100.0.0 255.255.255.0 10.4.0.0 255.255.255.0
access-list 100 extended permit ip 4.4.4.0 255.255.255.0 10.4.0.0 255.255.255.0
access-list 100 extended permit ip host 111.111.111.2 host 212.143.139.180
access-list nonat extended permit ip 4.4.4.0 255.255.255.0 10.2.0.0 255.255.255.0
access-list nonat extended permit ip 10.100.0.0 255.255.255.0 10.4.0.0 255.255.255.0
access-list nonat extended permit ip 4.4.4.0 255.255.255.0 10.4.0.0 255.255.255.0
access-list nonat extended permit ip 5.58.0 255.255.248.0 10.4.0.0 255.255.255.0
access-list nonat extended permit ip 5.58.0 255.255.248.0 10.2.0.0 255.255.255.0
access-list from_outside_to_inside extended permit udp any any object-group DM_INLINE_UDP_1
access-list from_outside_to_inside extended permit icmp any any traceroute
access-list from_outside_to_inside extended permit object-group TCPUDP any any range 33434 33534
access-list from_outside_to_inside extended permit udp any any eq echo
access-list from_outside_to_inside extended permit icmp any any
access-list from_outside_to_inside extended permit object-group TCPUDP any any eq echo
access-list from_outside_to_inside extended permit tcp any host 4.4.4.12 eq www
access-list from_outside_to_inside extended permit tcp any host 111.111.111.3 eq www
access-list from_outside_to_inside extended permit tcp any host 111.111.111.4 eq ftp
access-list from_outside_to_inside extended permit tcp any host 111.111.111.4 eq www
access-list from_outside_to_inside extended permit tcp any host 111.111.111.5 eq www
access-list from_outside_to_inside extended permit tcp any host 111.111.111.5 eq https
access-list from_outside_to_inside extended permit tcp any host 111.111.111.6 eq www
access-list from_outside_to_inside extended permit tcp any host 111.111.111.7 eq https
access-list from_outside_to_inside extended permit tcp any host 111.111.111.7 eq www
access-list from_outside_to_inside extended permit tcp any host 111.111.111.8 eq www
access-list from_outside_to_inside extended permit tcp any host 111.111.111.16 eq 3000
access-list from_outside_to_inside extended permit tcp any host 111.111.111.8 eq https
access-list from_outside_to_inside extended permit tcp any host 111.111.111.9 eq 1344
access-list from_outside_to_inside extended permit tcp any host 111.111.111.10 eq https
access-list from_outside_to_inside extended permit tcp any host 111.111.111.10 eq www
access-list from_outside_to_inside remark RDP
access-list from_outside_to_inside extended permit tcp any any eq 3389
access-list from_outside_to_inside extended permit udp any any eq tftp
access-list from_outside_to_inside extended permit udp any any eq syslog
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit icmp any any time-exceeded
access-list outside_access_in extended permit icmp any any unreachable
pager lines 25
logging enable
logging timestamp
logging standby
logging list Event-class level debugging
logging buffer-size 1048576
logging asdm-buffer-size 200
logging console emergencies
logging monitor critical
logging buffered critical
logging trap debugging
logging history emergencies
logging asdm debugging
logging facility 16
logging device-id hostname
logging host inside 5.50.77
logging host inside 5.50.17
logging host inside 5.51.103
logging debug-trace
logging ftp-bufferwrap
logging permit-hostdown
logging class auth monitor debugging
logging class vpn monitor debugging
logging class vpnc monitor debugging
logging class vpnfo monitor debugging
no logging message 106015
no logging message 313001
no logging message 313008
no logging message 106023
no logging message 305012
no logging message 305011
no logging message 710005
no logging message 710003
no logging message 106100
no logging message 302015
no logging message 302014
no logging message 302013
no logging message 304002
no logging message 304001
no logging message 609002
no logging message 609001
no logging message 302018
no logging message 302017
no logging message 302016
no logging message 302021
no logging message 302020
logging rate-limit 1500 1 level 0
logging rate-limit 10000 1 level 1
logging rate-limit 5000 1 level 2
logging rate-limit 1500 1 level 3
logging rate-limit 1500 1 level 4
logging rate-limit 1500 1 level 5
logging rate-limit 1500 1 level 6
logging rate-limit 10000 1 level 7
mtu outside 1500
mtu inside 1500
ip local pool clientpool 10.2.0.1-10.2.0.2 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any traceroute outside
icmp permit any inside
asdm image disk0:/asdm-633.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 111.111.111.3-111.111.111.30 netmask 255.255.255.224
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 111.111.111.3 4.4.4.11 netmask 255.255.255.255
static (inside,outside) 111.111.111.4 4.4.4.12 netmask 255.255.255.255
static (inside,outside) 111.111.111.16 5.50.78 netmask 255.255.255.255
static (inside,outside) 111.111.111.5 4.4.4.5 netmask 255.255.255.255
static (inside,outside) 111.111.111.6 4.4.4.16 netmask 255.255.255.255
static (inside,outside) 111.111.111.7 4.4.4.18 netmask 255.255.255.255
static (inside,outside) 111.111.111.8 4.4.4.20 netmask 255.255.255.255
static (inside,outside) 111.111.111.9 4.4.4.55 netmask 255.255.255.255
static (inside,outside) 111.111.111.10 4.4.4.40 netmask 255.255.255.255
access-group from_outside_to_inside in interface outside
route outside 0.0.0.0 0.0.0.0 111.111.111.1 1
route inside 5.50.0 255.255.248.0 10.100.0.10 1
route inside 5.58.0 255.255.248.0 10.100.0.10 1
route inside 4.4.4.0 255.255.255.0 10.100.0.10 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
nac-policy DfltGrpPolicy-nac-framework-create nac-framework
 reval-period 36000
 sq-period 300
aaa authentication ssh console LOCAL
http server enable
http 5.50.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 inside
snmp-server host inside 5.51.103 community sysadmin
snmp-server location Keith's Lab
snmp-server contact *** Keith Shannon *** E-mail: keith@opswat.com *** Phone: 415-543-1534 ext. 342 ***
snmp-server community sysadmin
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
snmp-server enable traps ipsec start stop
snmp-server enable traps entity config-change fru-insert fru-remove
snmp-server enable traps remote-access session-threshold-exceeded
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map cisco 1 set transform-set myset
crypto map dyn-map 20 ipsec-isakmp dynamic cisco
crypto map dyn-map interface outside
crypto isakmp enable outside
crypto isakmp policy 20
 authentication pre-share
 encryption des
 hash md5
 group 2
 lifetime 86400
crypto isakmp policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
no crypto isakmp nat-traversal
client-update enable
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 60
console timeout 0

!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
  message-length maximum client auto
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
  inspect icmp
!
service-policy global_policy global
tftp-server inside 5.51.103 c:\users\keith.opswat\tftp
webvpn
 enable outside
group-policy DfltGrpPolicy attributes
 vpn-simultaneous-logins 100
 vpn-idle-timeout none
 nac-settings value DfltGrpPolicy-nac-framework-create
 address-pools value clientpool
 webvpn
  svc dpd-interval client none
  svc dpd-interval gateway none
  deny-message value Login was successful. However, because certain criteria has not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact the System Administrator Keith Shannon for more information. *** Keith Shannon *** E-mail: keith@opswat.com *** Phone:415-543-1534 ext. 342 ***
group-policy OPSWATClient internal
group-policy OPSWATClient attributes
 banner value ***   Welcome to OPSWAT Inc. San Francisco VPN     ***
 banner value ***                                                ***
 banner value ***        You have Successfully Logged In         ***
 banner value ***             NO UNAUTHORIZED ACCESS             ***
 banner value ***                                                ***
 banner value ***      All system information is being logged    ***
 banner value ***     If you have accessed this VPN Illegally    ***
 banner value ***      Your information will be given to the     ***
 banner value ***   State and Federal Government for Prosecution ***
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value 100
 default-domain value opswat
prompt hostname context
: end

Open in new window

trace-google-success.jpg
trace-google-fail.jpg
0
Comment
Question by:keith_opswat
  • 9
  • 8
18 Comments
 
LVL 14

Expert Comment

by:anoopkmr
ID: 33599922
add  the below commands and see

access-list from_outside_to_inside extended permit icmp any any time-exceeded

access-list from_outside_to_inside extended permit icmp any any unreachable

policy-map global_policy

class class-default

set connection decrement-ttl

icmp unreachable rate-limit 10 burst-size 10
0
 
LVL 4

Author Comment

by:keith_opswat
ID: 33600028
Still the same thing... Still says it's getting blocked by the final implicit rule to deny any any.
0
 
LVL 14

Expert Comment

by:anoopkmr
ID: 33600047
try from a windows pc in local lan
0
 
LVL 4

Author Comment

by:keith_opswat
ID: 33600098
Yes I am doing both.
0
 
LVL 4

Author Comment

by:keith_opswat
ID: 33600170
It only works if I do a traceroute from the ASA device using the outside port & outside IP address as the source. Otherwise it gets blocked by the final implicit rule. Which makes zero sense since I have it permitted in every which way.
0
 
LVL 14

Expert Comment

by:anoopkmr
ID: 33600305
can u post ur latest config
0
 
LVL 4

Author Comment

by:keith_opswat
ID: 33600353
Here's the config now... Posting more than before. I don't think anything I left out before is of any use but just in case.

[code]
: Saved
:
ASA Version 8.0(2)
!
hostname itchy
domain-name default.domain.invalid
enable password l2tRVuLpAinAgG0i encrypted
names
!
interface Vlan1
 no nameif
 no security-level
 no ip address
!
interface Vlan100
 nameif outside
 security-level 0
 ip address 111.111.223.2 255.255.255.224
!
interface Vlan102
 nameif inside
 security-level 100
 ip address 10.100.0.1 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 100
 speed 100
 duplex full
!
interface Ethernet0/1
 switchport access vlan 102
 speed 100
 duplex full
!
interface Ethernet0/2
 shutdown
!
interface Ethernet0/3
 shutdown
!
interface Ethernet0/4
 shutdown
!
interface Ethernet0/5
 shutdown
!
interface Ethernet0/6
 shutdown
!
interface Ethernet0/7
 shutdown
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns server-group DefaultDNS
 domain-name default.domain.invalid
object-group service rdp tcp
 description RDP
 port-object eq 3389
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
object-group service ICMP tcp-udp
 description Traceroute
 port-object range 33434 33534
object-group service UDPICMP udp
 description UDP ICMP
 port-object range 33434 33534
object-group service DM_INLINE_UDP_1 udp
 group-object UDPICMP
 port-object range 33434 33534
access-list 100 extended permit ip 10.100.0.0 255.255.255.0 10.4.0.0 255.255.255.0
access-list 100 extended permit ip 172.16.0.0 255.255.255.0 10.4.0.0 255.255.255.0
access-list 100 extended permit ip host 111.111.223.2 host 212.143.139.180
access-list nonat extended permit ip 172.16.0.0 255.255.255.0 10.2.0.0 255.255.255.0
access-list nonat extended permit ip 10.100.0.0 255.255.255.0 10.4.0.0 255.255.255.0
access-list nonat extended permit ip 172.16.0.0 255.255.255.0 10.4.0.0 255.255.255.0
access-list nonat extended permit ip 10.0.8.0 255.255.248.0 10.4.0.0 255.255.255.0
access-list nonat extended permit ip 10.0.8.0 255.255.248.0 10.2.0.0 255.255.255.0
access-list from_outside_to_inside extended permit udp any any object-group DM_INLINE_UDP_1
access-list from_outside_to_inside extended permit icmp any any traceroute
access-list from_outside_to_inside extended permit object-group TCPUDP any any range 33434 33534
access-list from_outside_to_inside extended permit udp any any eq echo
access-list from_outside_to_inside extended permit icmp any any
access-list from_outside_to_inside extended permit object-group TCPUDP any any eq echo
access-list from_outside_to_inside extended permit tcp any host 172.16.0.12 eq www
access-list from_outside_to_inside extended permit tcp any host 111.111.223.3 eq www
access-list from_outside_to_inside extended permit tcp any host 111.111.223.4 eq ftp
access-list from_outside_to_inside extended permit tcp any host 111.111.223.4 eq www
access-list from_outside_to_inside extended permit tcp any host 111.111.223.5 eq www
access-list from_outside_to_inside extended permit tcp any host 111.111.223.5 eq https
access-list from_outside_to_inside extended permit tcp any host 111.111.223.6 eq www
access-list from_outside_to_inside extended permit tcp any host 111.111.223.7 eq https
access-list from_outside_to_inside extended permit tcp any host 111.111.223.7 eq www
access-list from_outside_to_inside extended permit tcp any host 111.111.223.8 eq www
access-list from_outside_to_inside extended permit tcp any host 111.111.223.16 eq 3000
access-list from_outside_to_inside extended permit tcp any host 111.111.223.8 eq https
access-list from_outside_to_inside extended permit tcp any host 111.111.223.9 eq 1344
access-list from_outside_to_inside extended permit tcp any host 111.111.223.10 eq https
access-list from_outside_to_inside extended permit tcp any host 111.111.223.10 eq www
access-list from_outside_to_inside remark RDP
access-list from_outside_to_inside extended permit tcp any any eq 3389
access-list from_outside_to_inside extended permit udp any any eq tftp
access-list from_outside_to_inside extended permit udp any any eq syslog
access-list from_outside_to_inside extended permit icmp any any time-exceeded
access-list from_outside_to_inside extended permit icmp any any unreachable
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit icmp any any time-exceeded
access-list outside_access_in extended permit icmp any any unreachable
pager lines 25
logging enable
logging timestamp
logging standby
logging list Event-class level debugging
logging buffer-size 1048576
logging asdm-buffer-size 200
logging console emergencies
logging monitor critical
logging buffered critical
logging trap debugging
logging history emergencies
logging asdm debugging
logging facility 16
logging device-id hostname
logging host inside 10.0.0.77
logging host inside 10.0.0.17
logging host inside 10.0.1.103
logging debug-trace
logging ftp-bufferwrap
logging permit-hostdown
logging class auth monitor debugging
logging class vpn monitor debugging
logging class vpnc monitor debugging
logging class vpnfo monitor debugging
no logging message 106015
no logging message 313001
no logging message 313008
no logging message 106023
no logging message 305012
no logging message 305011
no logging message 710005
no logging message 710003
no logging message 106100
no logging message 302015
no logging message 302014
no logging message 302013
no logging message 304002
no logging message 304001
no logging message 609002
no logging message 609001
no logging message 302018
no logging message 302017
no logging message 302016
no logging message 302021
no logging message 302020
logging rate-limit 1500 1 level 0
logging rate-limit 10000 1 level 1
logging rate-limit 5000 1 level 2
logging rate-limit 1500 1 level 3
logging rate-limit 1500 1 level 4
logging rate-limit 1500 1 level 5
logging rate-limit 1500 1 level 6
logging rate-limit 10000 1 level 7
mtu outside 1500
mtu inside 1500
ip local pool clientpool 10.2.0.1-10.2.0.2 mask 255.255.255.0
icmp unreachable rate-limit 10 burst-size 10
icmp permit any outside
icmp permit any traceroute outside
icmp permit any inside
asdm image disk0:/asdm-633.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 111.111.223.3-111.111.223.30 netmask 255.255.255.224
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 111.111.223.3 172.16.0.11 netmask 255.255.255.255
static (inside,outside) 111.111.223.4 172.16.0.12 netmask 255.255.255.255
static (inside,outside) 111.111.223.16 10.0.0.78 netmask 255.255.255.255
static (inside,outside) 111.111.223.5 172.16.0.5 netmask 255.255.255.255
static (inside,outside) 111.111.223.6 172.16.0.16 netmask 255.255.255.255
static (inside,outside) 111.111.223.7 172.16.0.18 netmask 255.255.255.255
static (inside,outside) 111.111.223.8 172.16.0.20 netmask 255.255.255.255
static (inside,outside) 111.111.223.9 172.16.0.55 netmask 255.255.255.255
static (inside,outside) 111.111.223.10 172.16.0.40 netmask 255.255.255.255
access-group from_outside_to_inside in interface outside
route outside 0.0.0.0 0.0.0.0 111.111.223.1 1
route inside 10.0.0.0 255.255.248.0 10.100.0.10 1
route inside 10.0.8.0 255.255.248.0 10.100.0.10 1
route inside 172.16.0.0 255.255.255.0 10.100.0.10 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
nac-policy DfltGrpPolicy-nac-framework-create nac-framework
 reval-period 36000
 sq-period 300
aaa authentication ssh console LOCAL
http server enable
http 10.0.0.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 inside
snmp-server location Keith's Lab
snmp-server contact *** Keith Shannon *** E-mail: keith@opswat.com *** Phone: 415-543-1534 ext. 342 ***
snmp-server community sysadmin
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
snmp-server enable traps ipsec start stop
snmp-server enable traps entity config-change fru-insert fru-remove
snmp-server enable traps remote-access session-threshold-exceeded
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map cisco 1 set transform-set myset
crypto map dyn-map 20 ipsec-isakmp dynamic cisco
crypto map dyn-map interface outside
crypto isakmp enable outside
crypto isakmp policy 20
 authentication pre-share
 encryption des
 hash md5
 group 2
 lifetime 86400
crypto isakmp policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
no crypto isakmp nat-traversal
client-update enable
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 60
console timeout 0
l2tp tunnel hello 300

threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
  message-length maximum client auto
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
  inspect icmp
 class class-default
  set connection decrement-ttl
!
service-policy global_policy global
tftp-server inside 10.0.1.103 c:\users\keith.opswat\tftp
webvpn
 enable outside
group-policy DfltGrpPolicy attributes
 vpn-simultaneous-logins 100
 vpn-idle-timeout none
 nac-settings value DfltGrpPolicy-nac-framework-create
 address-pools value clientpool
 webvpn
  svc dpd-interval client none
  svc dpd-interval gateway none
  deny-message value Login was successful. However, because certain criteria has not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact the System Administrator Keith Shannon for more information. *** Keith Shannon *** E-mail: keith@opswat.com *** Phone:415-543-1534 ext. 342 ***
group-policy OPSWATClient internal
group-policy OPSWATClient attributes
 banner value ***   Welcome to OPSWAT Inc. San Francisco VPN     ***
 banner value ***                                                ***
 banner value ***        You have Successfully Logged In         ***
 banner value ***             NO UNAUTHORIZED ACCESS             ***
 banner value ***                                                ***
 banner value ***      All system information is being logged    ***
 banner value ***     If you have accessed this VPN Illegally    ***
 banner value ***      Your information will be given to the     ***
 banner value ***   State and Federal Government for Prosecution ***
prompt hostname context

[/code]
0
 
LVL 14

Expert Comment

by:anoopkmr
ID: 33600423
can u add the below line

icmp unreachable rate-limit 10 burst-size 5

just change to 5 and see

also show me the log output while testing
0
 
LVL 4

Author Comment

by:keith_opswat
ID: 33600654
Oh weird.. I'd never looked at the log files and I got these two interesting ones... If I did it from the interface where it wasn't spoofing the IP address I got this error.

2      Sep 03 2010      13:50:23            10.100.0.1      7      74.125.19.99      7      Inbound TCP connection denied from 10.100.0.1/7 to 74.125.19.99/7 flags SYN  on interface outside

If I used the internal IP address but set it to go from the other interface it said it dropped it because it was spoofing the IP addres... Which it was but still. Here's the message

2      Sep 03 2010      13:49:42                                    Deny IP spoof from (10.100.0.1) to 74.125.19.99 on interface inside


If I traceroute from my local machine I don't see anything appear in the logs until the traceroute reaches the end... I get the router hop which is before the ASA. Then after the ASA it's all ***

however, one thing I accidentally just found out because I had never let the tracert run after it started giving **. After the correct amount of hops showed with no information. The final hop was sent back properly. And this came up in the error logs. Why would the final hop at Google show but nothing in between?

4      Sep 03 2010      13:53:14                                    No matching connection for ICMP error message: icmp src inside:10.100.0.10 dst outside:216.252.121.178 (type 3, code 1) on inside interface.  Original IP payload: tcp src 216.252.121.178/5050 dst 10.0.1.116/56698.
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 
LVL 14

Expert Comment

by:anoopkmr
ID: 33600810
ahh now only I noticed ur ASA version , its 8.02

actually there is a bug in ASA os and it is corrected in 8.03
CSCsk76401

set connection decrement-ttl does not work for traceroute

Versions prior to 8.0(3) do not support " Make the Firewall Show Up in a Traceroute in ASA/PIX" this section due to the bug CSCsk76401
0
 
LVL 14

Accepted Solution

by:
anoopkmr earned 500 total points
ID: 33600831
CSCsk76401 Bug Details

set connection decrement-ttl does not work for traceroute Symptom:
The "set connection decrement-ttl" command is designed to allow
the Security Appliance to show up as a hop in the path for transient ICMP
Traceroute packets. This is achieved by decrementing the TTL in the IP
header, and responding to received ICMP packets with TTL of zero.

The bug is filed because with the command enabled, the TTL of ICMP
packets is not getting decremented. However, TCP packets matching
the class-map will have their TTL decremented.

After the fix for this bug, any IP packet matching the class-map, whose
action is set for "set connection decrement-ttl" will have their IP TTL
decremented as it transients the security appliance.


Conditions:
Traffic must be matching a class-map whose action is:
set connection decrement-ttl


Workaround:
None.
1st Found-In
7.2(2)
8.0(2)

 Fixed-In
8.03
8.1(0.94)
7.2(4)
8.2(0.73)
8.0(2.31)
8.2(0.74)
7.2(3.8)


0
 
LVL 4

Author Comment

by:keith_opswat
ID: 33600835
I don't mind that the firewall is not showing up in traceroute... I just want the other hops to show up on my PC.

Or is the fact that the firewall is not showing up the reason why after the first router hop before the ASA is the only device that shows in my tracert??

The packet trace utility says the ACL is blocking my traceroute.
0
 
LVL 14

Expert Comment

by:anoopkmr
ID: 33600873


while testing

sh access-list  from_outside_to_inside   and see any hits
0
 
LVL 4

Author Comment

by:keith_opswat
ID: 33600958
access-list from_outside_to_inside; 29 elements
access-list from_outside_to_inside line 1 extended permit udp any any object-group DM_INLINE_UDP_1 0xa477642e
access-list from_outside_to_inside line 1 extended permit udp any any range 33434 33534 (hitcnt=217) 0xb7b41e06
access-list from_outside_to_inside line 1 extended permit udp any any range 33434 33534 (hitcnt=0) 0xb7b41e06
access-list from_outside_to_inside line 2 extended permit icmp any any traceroute (hitcnt=0) 0x353ca0ac
access-list from_outside_to_inside line 3 extended permit object-group TCPUDP any any range 33434 33534 0x93d49bf4
access-list from_outside_to_inside line 3 extended permit udp any any range 33434 33534 (hitcnt=0) 0xb7b41e06
access-list from_outside_to_inside line 3 extended permit tcp any any range 33434 33534 (hitcnt=10) 0xea7081cb
access-list from_outside_to_inside line 4 extended permit udp any any eq echo (hitcnt=436) 0x2ab68423
access-list from_outside_to_inside line 5 extended permit icmp any any (hitcnt=76682) 0xf3b6aa0d
access-list from_outside_to_inside line 6 extended permit object-group TCPUDP any any eq echo 0x93d49bf4
access-list from_outside_to_inside line 6 extended permit udp any any eq echo (hitcnt=0) 0x2ab68423
access-list from_outside_to_inside line 6 extended permit tcp any any eq echo (hitcnt=0) 0x95215ef
access-list from_outside_to_inside line 7 extended permit tcp any host 172.16.0.12 eq www (hitcnt=0) 0x9b4e3ac9
access-list from_outside_to_inside line 8 extended permit tcp any host 209.220.223.3 eq www (hitcnt=8136) 0x6ba91551
access-list from_outside_to_inside line 9 extended permit tcp any host 209.220.223.4 eq ftp (hitcnt=2) 0x6b65c56f
access-list from_outside_to_inside line 10 extended permit tcp any host 209.220.223.4 eq www (hitcnt=5620) 0x6dda3041
access-list from_outside_to_inside line 11 extended permit tcp any host 209.220.223.5 eq www (hitcnt=224) 0xb3b7ecd0
access-list from_outside_to_inside line 12 extended permit tcp any host 209.220.223.5 eq https (hitcnt=35) 0xba5e5243
access-list from_outside_to_inside line 13 extended permit tcp any host 209.220.223.6 eq www (hitcnt=216) 0xfb06bddb
access-list from_outside_to_inside line 14 extended permit tcp any host 209.220.223.7 eq https (hitcnt=0) 0xf2ded358
access-list from_outside_to_inside line 15 extended permit tcp any host 209.220.223.7 eq www (hitcnt=230) 0x8a174dfe
access-list from_outside_to_inside line 16 extended permit tcp any host 209.220.223.8 eq www (hitcnt=217) 0x3e625bac
access-list from_outside_to_inside line 17 extended permit tcp any host 209.220.223.16 eq 3000 (hitcnt=0) 0x5253f381
access-list from_outside_to_inside line 18 extended permit tcp any host 209.220.223.8 eq https (hitcnt=0) 0xca15e29
access-list from_outside_to_inside line 19 extended permit tcp any host 209.220.223.9 eq 1344 (hitcnt=0) 0xe971100
access-list from_outside_to_inside line 20 extended permit tcp any host 209.220.223.10 eq https (hitcnt=82) 0xbc2a63af
access-list from_outside_to_inside line 21 extended permit tcp any host 209.220.223.10 eq www (hitcnt=221) 0x1329ac83
access-list from_outside_to_inside line 22 remark RDP
access-list from_outside_to_inside line 23 extended permit tcp any any eq 3389 (hitcnt=650) 0x2e136a64
access-list from_outside_to_inside line 24 extended permit udp any any eq tftp (hitcnt=0) 0x6c9fa0a
access-list from_outside_to_inside line 25 extended permit udp any any eq syslog (hitcnt=0) 0x311f5361
access-list from_outside_to_inside line 26 extended permit icmp any any time-exceeded (hitcnt=0) 0xd1d925a9
access-list from_outside_to_inside line 27 extended permit icmp any any unreachable (hitcnt=0) 0x90f6d04f
0
 
LVL 4

Author Comment

by:keith_opswat
ID: 33601210
I found this... it's blocking it because there wasn't a connection created from INSIDE the network. It's blocking it because there is no connection state for it. Here's the whole message


%ASA-2-106001: Inbound TCP connection denied from IP_address/port to
IP_address/port flags tcp_flags on interface interface_name
An attempt was made to connect to an inside address is denied by the security policy that is defined for the specified traffic type. The IP address displayed is the real IP address instead of the IP address that appears through NAT. Possible tcp_flags values correspond to the flags in the TCP header that were present when the connection was denied. For example, a TCP packet arrived for which no connection state exists in the adaptive security appliance, and it was dropped. The tcp_flags in this packet are FIN and ACK.

The tcp_flags are as follows:

• ACK—The acknowledgment number was received

• FIN—Data was sent

• PSH—The receiver passed data to the application

• RST—The connection was reset

• SYN—Sequence numbers were synchronized to start a connection

• URG—The urgent pointer was declared valid
0
 
LVL 14

Expert Comment

by:anoopkmr
ID: 33602142
above comment is related to TCP

but strange is  there is no hits on the below access-list
access-list from_outside_to_inside line 26 extended permit icmp any any time-exceeded (hitcnt=0) 0xd1d925a9
access-list from_outside_to_inside line 27 extended permit icmp any any unreachable (hitcnt=0) 0x90f6d04f

what is the device on top of  this firewall ?

can u traceroute the firewall Gw IP  (111.111.223.1 as per ur config) , from the inside LAN.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 33604247
try this:

access-list from_outside_to_inside extended permit icmp any any time-exceeded

policy-map global_policy
 class inspection_default
  inspect icmp


0
 
LVL 4

Author Closing Comment

by:keith_opswat
ID: 33678378
Still doesn't work... I'm gonna say it's the firmware even though I've gotten it to work on this exact same device, with this exact same firmware before. And since you worked with me a ton anoopkmr I'm gonna give you the points and an A! Thanks a lot man. So marking your firmware answer as correct...
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Hi All,  Recently I have installed and configured a Sonicwall NS220 in the network as a firewall and Internet access gateway. All was working fine until users started reporting that they cannot use the Cisco VPN client to connect to the customer'…
#Citrix #Citrix Netscaler #HTTP Compression #Load Balance
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now