Link to home
Start Free TrialLog in
Avatar of ArneLovius
ArneLoviusFlag for United Kingdom of Great Britain and Northern Ireland

asked on

ASA 9.0(1) "breaks" traceroute

Cisco ASA 5505 Sec Plus

Was running 8.4.4.1 with no problems, updated to 9.0(1) and if I traceroute through it, i get some rather odd behaviour, the below is on Linux, but it's the same on Windows

local@ten-0-4:~$ traceroute 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
 1  google-public-dns-a.google.com (8.8.8.8)  5.077 ms  5.058 ms  4.997 ms
 2  google-public-dns-a.google.com (8.8.8.8)  21.002 ms  21.029 ms  20.956 ms
 3  google-public-dns-a.google.com (8.8.8.8)  20.968 ms  20.934 ms  20.923 ms
 4  google-public-dns-a.google.com (8.8.8.8)  20.849 ms  20.901 ms  20.890 ms
 5  google-public-dns-a.google.com (8.8.8.8)  20.885 ms  20.881 ms  20.855 ms
 6  google-public-dns-a.google.com (8.8.8.8)  20.849 ms  13.947 ms  14.558 ms
 7  google-public-dns-a.google.com (8.8.8.8)  17.335 ms  15.854 ms  17.496 ms
 8  google-public-dns-a.google.com (8.8.8.8)  24.488 ms  24.445 ms  20.468 ms
 9  google-public-dns-a.google.com (8.8.8.8)  22.423 ms  19.386 ms  20.405 ms
10  google-public-dns-a.google.com (8.8.8.8)  19.364 ms  21.322 ms  20.336 ms
11  google-public-dns-a.google.com (8.8.8.8)  18.341 ms  20.327 ms  22.287 ms
12  google-public-dns-a.google.com (8.8.8.8)  21.465 ms  42.397 ms  18.537 ms
13  google-public-dns-a.google.com (8.8.8.8)  22.217 ms  22.037 ms  53.820 ms
14  google-public-dns-a.google.com (8.8.8.8)  25.422 ms  25.860 ms  25.813 ms
15  google-public-dns-a.google.com (8.8.8.8)  27.598 ms  27.138 ms  28.315 ms
local@ten-0-4:~$

Open in new window



Sanitised copy of the config as below

ASA Version 9.0(1) 
!
hostname asa-1
domain-name domain.com
enable password  <deleted> encrypted
passwd  <deleted> encrypted
names
name 192.168.53.53 v-tv-3
name 192.168.53.44 v-ca-1
name 192.168.53.201 v-homer
name 192.168.53.15 v-sarah
name 192.168.53.54 v-xwiki-01
name 192.168.53.64 v-mailbox-4
name 192.168.53.70 v-astaro
name 192.168.53.63 v-mailbox-3
name 192.168.53.51 v-ssl
name 192.168.53.65 v-mailbox-5
name 192.168.53.69 v-exchange-haproxy description address of HAProxy keepalived address
ip local pool Vestry-VPN-Pool-Range 192.168.54.1-192.168.54.9
ipv6 local pool AnyConnect-ipv6pool 2001:479:9852:3::1/64 10
!
interface Ethernet0/0
 switchport access vlan 40
!
interface Ethernet0/1
!
interface Ethernet0/2
 shutdown
!
interface Ethernet0/3
 shutdown
!
interface Ethernet0/4
!
interface Ethernet0/5
 shutdown
!
interface Ethernet0/6
 shutdown
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.53.251 255.255.255.0 standby 192.168.53.249 
 ipv6 address 2001:479:9852:2::1/64
 ipv6 enable
!
interface Vlan40
 nameif BT-Fibre
 security-level 0
 ip address 1.2.155.21 255.255.255.248 
 ipv6 address 2001:479:9852:1::1/64
 ipv6 enable
!
!
time-range 247
!
boot system disk0:/asa901-k8.bin
boot system disk0:/asa844-1-k8.bin
ftp mode passive
clock summer-time BST recurring last Sun Mar 2:00 last Sun Oct 2:00
dns domain-lookup inside
dns server-group DefaultDNS
 name-server 192.168.53.42
 name-server 192.168.53.43
 domain-name domain.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj-1.2.155.17
 host 1.2.155.17
object network v-smtp-2.domain.com
 host 1.2.155.18
object network v-ssl
 host 192.168.53.51
object network v-files.domain.com
 host 1.2.155.20
object network v-sarah
 host 192.168.53.15
object network v-tv-3
 host 192.168.53.53
object network v-mailbox-3
 host 192.168.53.63
object network v-mailbox-4
 host 192.168.53.64
object service tcp-dest-smtp
 service tcp source eq smtp 
object service tcp-dest-3840
 service tcp source eq 3840 
object service tcp-dest-4444
 service tcp source eq 4444 
object service tcp-dest-http
 service tcp source eq www 
object service tcp-dest-https
 service tcp source eq https 
object service tcp-dest-18080
 service tcp source eq 18080 
object service tcp-dest-52500
 service tcp source eq 52500 
object service udp-dest-52500
 service udp source eq 52500 
object service tcp-source-smtp
 service tcp destination eq smtp 
object network domain-253
 subnet 10.201.253.0 255.255.255.0
 description (Generated by Cisco SM from Object "domain-253")
object service tcp-dest-ftp
 service tcp source eq ftp 
object service tcp-dest-smtp-587
 service tcp source eq 587 
object service SMTP-587
 service tcp destination eq 587 
object service tcp-dest-22
 service tcp source eq ssh 
object network RA-91
 subnet 192.168.91.0 255.255.255.0
object network RA-92
 subnet 192.168.92.0 255.255.255.0
object network PS-200
 subnet 10.200.0.0 255.255.0.0
object network PS-201
 subnet 10.201.1.0 255.255.255.0
object network PS-202
 subnet 10.202.0.0 255.255.0.0
object network PS-250
 subnet 10.250.1.0 255.255.255.0
object network E-12
 subnet 192.168.12.0 255.255.255.0
object network PR-30
 subnet 192.168.30.0 255.255.255.0
object network V-53
 subnet 192.168.53.0 255.255.255.0
object network v-smtp-2
 host 192.168.53.70
object network v-haproxy-5
 host 192.168.53.34
object network v-mailbox-3-haproxy
 host 192.168.53.35
object-group network Vestry-VPN-Pool-Subnet
 network-object 192.168.54.0 255.255.255.0
access-list CSM_FW_ACL_inside extended permit ip any4 any4 
access-list CSM_FW_ACL_inside extended permit icmp6 any6 any6 
access-list CSM_FW_ACL_inside extended permit ip any6 any6 
access-list CSM_IPSEC_ACL_1 extended permit ip 192.168.53.0 255.255.255.0 192.168.91.0 255.255.255.0 
access-list CSM_IPSEC_ACL_1 extended permit ip 192.168.53.0 255.255.255.0 192.168.92.0 255.255.255.0 
access-list CSM_IPSEC_ACL_3 extended permit ip 192.168.53.0 255.255.255.0 192.168.12.0 255.255.255.0 
access-list CSM_IPSEC_ACL_4 extended permit ip 192.168.53.0 255.255.255.0 192.168.30.0 255.255.255.0 
access-list Vestry-Full standard permit 192.168.53.0 255.255.255.0 
access-list Vestry-TV standard permit host 192.168.53.51 
access-list Vestry-TV standard permit host 192.168.53.52 
access-list Vestry-TV standard permit host 192.168.53.53 
access-list CSM_IPSEC_ACL_5 extended permit ip 192.168.53.0 255.255.255.0 10.200.0.0 255.255.0.0 
access-list CSM_IPSEC_ACL_5 extended permit ip 192.168.53.0 255.255.255.0 10.201.1.0 255.255.255.0 
access-list CSM_IPSEC_ACL_5 extended permit ip 192.168.53.0 255.255.255.0 10.202.0.0 255.255.0.0 
access-list CSM_IPSEC_ACL_5 extended permit ip 192.168.53.0 255.255.255.0 10.250.1.0 255.255.255.0 
access-list CSM_IPSEC_ACL_5 extended permit ip 192.168.53.0 255.255.255.0 10.201.253.0 255.255.255.0 
access-list CSM_FW_ACL_BT-Fibre extended permit icmp any4 any4 
access-list CSM_FW_ACL_BT-Fibre extended permit tcp any4 object v-smtp-2 eq smtp 
access-list CSM_FW_ACL_BT-Fibre extended permit tcp any4 object v-smtp-2 eq https 
access-list CSM_FW_ACL_BT-Fibre extended permit object SMTP-587 any4 object v-smtp-2 
access-list CSM_FW_ACL_BT-Fibre extended permit tcp any4 object v-smtp-2 eq 3840 
access-list CSM_FW_ACL_BT-Fibre extended permit tcp any4 object v-smtp-2 eq 4444 
access-list CSM_FW_ACL_BT-Fibre extended permit tcp any4 object v-mailbox-3 eq www 
access-list CSM_FW_ACL_BT-Fibre extended permit tcp any4 object v-mailbox-3 eq https 
access-list CSM_FW_ACL_BT-Fibre extended permit tcp any4 object v-mailbox-3-haproxy eq www 
access-list CSM_FW_ACL_BT-Fibre extended permit tcp any4 object v-mailbox-3-haproxy eq https 
access-list CSM_FW_ACL_BT-Fibre extended permit tcp any4 object v-sarah eq ftp 
access-list CSM_FW_ACL_BT-Fibre extended permit tcp any4 object v-sarah eq ssh 
access-list CSM_FW_ACL_BT-Fibre extended permit tcp any4 object v-sarah eq 2222 
access-list CSM_FW_ACL_BT-Fibre extended permit tcp any4 object v-sarah eq 18080 
access-list CSM_FW_ACL_BT-Fibre extended permit tcp any4 object v-sarah eq 52500 
access-list CSM_FW_ACL_BT-Fibre extended permit udp any4 object v-sarah eq 52500 
access-list CSM_FW_ACL_BT-Fibre extended permit icmp6 any6 any6 
access-list CSM_FW_ACL_BT-Fibre extended permit tcp any6 host 2001:479:9852:2::15 eq www 
access-list CSM_FW_ACL_BT-Fibre extended permit tcp any6 host 2001:479:9852:2::53 eq www 
access-list CSM_FW_ACL_BT-Fibre extended permit tcp any6 host 2001:479:9852:2::61 eq www 
access-list CSM_FW_ACL_BT-Fibre extended permit tcp any6 host 2001:479:9852:2::61 eq https 
access-list flow_export_acl extended permit ip any4 any4 
pager lines 24
logging enable
logging timestamp
logging list sshauth level debugging
logging list sshauth message 605004
logging buffer-size 409600
logging asdm-buffer-size 500
logging buffered debugging
logging trap debugging
logging asdm informational
logging facility 23
logging ftp-bufferwrap
logging ftp-server v-sarah asa CiscoConfigs *****
no logging message 106015
no logging message 313001
no logging message 313008
no logging message 106023
no logging message 710003
no logging message 106100
no logging message 302015
no logging message 302014
no logging message 302013
no logging message 302018
no logging message 302017
no logging message 302016
no logging message 302021
no logging message 302020
flow-export destination inside 192.168.53.34 3030
flow-export template timeout-rate 1
flow-export delay flow-create 5
mtu inside 1500
mtu BT-Fibre 1500
ip verify reverse-path interface inside
ip verify reverse-path interface BT-Fibre
ip audit name Drop attack action drop
ip audit name Drop2 info action drop
ip audit signature 1000 disable
ip audit signature 1001 disable
ip audit signature 1002 disable
ip audit signature 1003 disable
ip audit signature 1004 disable
ip audit signature 1005 disable
ip audit signature 1006 disable
ip audit signature 1100 disable
ip audit signature 1102 disable
ip audit signature 1103 disable
ip audit signature 2000 disable
ip audit signature 2001 disable
ip audit signature 2002 disable
ip audit signature 2003 disable
ip audit signature 2004 disable
ip audit signature 2005 disable
ip audit signature 2006 disable
ip audit signature 2007 disable
ip audit signature 2008 disable
ip audit signature 2009 disable
ip audit signature 2010 disable
ip audit signature 2011 disable
ip audit signature 2012 disable
ip audit signature 2150 disable
ip audit signature 2151 disable
ip audit signature 2154 disable
ip audit signature 3040 disable
ip audit signature 3041 disable
ip audit signature 3042 disable
ip audit signature 3153 disable
ip audit signature 3154 disable
ip audit signature 4050 disable
ip audit signature 4051 disable
ip audit signature 4052 disable
ip audit signature 6050 disable
ip audit signature 6051 disable
ip audit signature 6052 disable
ip audit signature 6053 disable
ip audit signature 6100 disable
ip audit signature 6101 disable
ip audit signature 6102 disable
ip audit signature 6103 disable
ip audit signature 6150 disable
ip audit signature 6151 disable
ip audit signature 6152 disable
ip audit signature 6153 disable
ip audit signature 6154 disable
ip audit signature 6155 disable
ip audit signature 6175 disable
ip audit signature 6180 disable
ip audit signature 6190 disable
no failover
failover lan unit primary
failover polltime unit 1 holdtime 3
failover polltime interface 1 holdtime 5
failover interface-policy 2
failover key *****
icmp unreachable rate-limit 5 burst-size 1
icmp permit any inside
icmp permit any BT-Fibre
asdm image disk0:/asdm-701.bin
asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,BT-Fibre) source static V-53 V-53 destination static RA-91 RA-91 no-proxy-arp route-lookup
nat (inside,BT-Fibre) source static V-53 V-53 destination static RA-92 RA-92 no-proxy-arp route-lookup
nat (inside,BT-Fibre) source static V-53 V-53 destination static PS-200 PS-200 no-proxy-arp route-lookup
nat (inside,BT-Fibre) source static V-53 V-53 destination static PS-201 PS-201 no-proxy-arp route-lookup
nat (inside,BT-Fibre) source static V-53 V-53 destination static PS-202 PS-202 no-proxy-arp route-lookup
nat (inside,BT-Fibre) source static V-53 V-53 destination static PS-250 PS-250 no-proxy-arp route-lookup
nat (inside,BT-Fibre) source static V-53 V-53 destination static domain-253 domain-253 no-proxy-arp route-lookup
nat (inside,BT-Fibre) source static V-53 V-53 destination static E-12 E-12 no-proxy-arp route-lookup
nat (inside,BT-Fibre) source static V-53 V-53 destination static PR-30 PR-30 no-proxy-arp route-lookup
nat (inside,BT-Fibre) source static V-53 V-53 destination static Vestry-VPN-Pool-Subnet Vestry-VPN-Pool-Subnet no-proxy-arp route-lookup
nat (inside,BT-Fibre) source static v-smtp-2 obj-1.2.155.17 service tcp-dest-smtp tcp-dest-smtp
nat (inside,BT-Fibre) source static v-smtp-2 v-smtp-2.domain.com service tcp-dest-smtp tcp-dest-smtp
nat (inside,BT-Fibre) source static v-smtp-2 v-smtp-2.domain.com service tcp-dest-smtp-587 tcp-dest-smtp-587
nat (inside,BT-Fibre) source static v-smtp-2 v-smtp-2.domain.com service tcp-dest-3840 tcp-dest-3840
nat (inside,BT-Fibre) source static v-smtp-2 v-smtp-2.domain.com service tcp-dest-4444 tcp-dest-4444
nat (inside,BT-Fibre) source static v-mailbox-3-haproxy v-smtp-2.domain.com service tcp-dest-http tcp-dest-http
nat (inside,BT-Fibre) source static v-mailbox-3-haproxy v-smtp-2.domain.com service tcp-dest-https tcp-dest-https
nat (inside,BT-Fibre) source static v-sarah v-files.domain.com service tcp-dest-ftp tcp-dest-ftp
nat (inside,BT-Fibre) source static v-sarah v-files.domain.com service tcp-dest-22 tcp-dest-22
nat (inside,BT-Fibre) source static v-sarah v-files.domain.com service tcp-dest-18080 tcp-dest-18080
nat (inside,BT-Fibre) source static v-sarah v-files.domain.com service tcp-dest-52500 tcp-dest-52500
nat (inside,BT-Fibre) source static v-sarah v-files.domain.com service udp-dest-52500 udp-dest-52500
nat (inside,BT-Fibre) source dynamic v-smtp-2 v-smtp-2.domain.com service tcp-source-smtp tcp-source-smtp
nat (inside,BT-Fibre) source dynamic v-mailbox-3 v-smtp-2.domain.com
nat (inside,BT-Fibre) source dynamic v-mailbox-4 v-smtp-2.domain.com
nat (inside,BT-Fibre) source dynamic v-mailbox-3-haproxy v-smtp-2.domain.com
nat (inside,BT-Fibre) source dynamic v-haproxy-5 v-smtp-2.domain.com
nat (inside,BT-Fibre) source dynamic v-sarah v-files.domain.com
nat (inside,BT-Fibre) source dynamic V-53 interface
access-group CSM_FW_ACL_inside in interface inside
access-group CSM_FW_ACL_BT-Fibre in interface BT-Fibre
ipv6 icmp permit any inside
ipv6 icmp permit any BT-Fibre
ipv6 route BT-Fibre ::/0 2001:479:9852:1::254
route BT-Fibre 0.0.0.0 0.0.0.0 1.2.155.22 1
timeout xlate 12:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:10
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:01:00
ldap attribute-map Vestry-SSL-Attribute-maps
  map-name  memberOf IETF-Radius-Class
  map-value memberOf CN=Vestry-Full,OU=VPN-Groups,DC=domain,DC=com Vestry-Full
  map-value memberOf CN=Vestry-TV,OU=VPN-Groups,DC=domain,DC=com Vestry-TV
  map-value memberOf CN=Vestry-Tun,OU=VPN-Groups,DC=domain,DC=com Vestry-Tun
dynamic-access-policy-record DfltAccessPolicy
dynamic-access-policy-record dap-local
 description "dap-local"
 priority 10
dynamic-access-policy-record dap-remote-win
aaa-server Vestry-LDAP protocol ldap
aaa-server Vestry-LDAP (inside) host 192.168.53.42
 server-port 636
 ldap-base-dn DC=domain,DC=com
 ldap-scope subtree
 ldap-naming-attribute sAMAccountName
 ldap-login-password *****
 ldap-login-dn CN=asa-bind,OU=service accounts,DC=domain,DC=com
 ldap-over-ssl enable
 server-type microsoft
 ldap-attribute-map Vestry-SSL-Attribute-maps
aaa-server Vestry-LDAP (inside) host 192.168.53.43
 server-port 636
 ldap-base-dn DC=domain,DC=com
 ldap-scope subtree
 ldap-naming-attribute sAMAccountName
 ldap-login-password *****
 ldap-login-dn CN=asa-bind,OU=service accounts,DC=domain,DC=com
 ldap-over-ssl enable
 server-type microsoft
 ldap-attribute-map Vestry-SSL-Attribute-maps
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL 
aaa authentication http console LOCAL 
aaa proxy-limit disable
http server enable 8443
http server idle-timeout 600
http 1.2.3.4 255.255.255.255 BT-Fibre
http 0.0.0.0 0.0.0.0 inside
http redirect BT-Fibre 80
http redirect inside 80
snmp-server host inside 192.168.53.165 community *****
snmp-server host inside 10.201.253.39 community *****
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
snmp-server enable traps syslog
snmp-server enable traps ipsec start stop
snmp-server enable traps entity config-change
sysopt connection tcpmss 0
service resetinbound interface BT-Fibre
no service resetoutbound interface inside
service resetoutside
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec ikev2 ipsec-proposal DES
 protocol esp encryption des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
 protocol esp encryption 3des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
 protocol esp encryption aes
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
 protocol esp encryption aes-192
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
 protocol esp encryption aes-256
 protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000
crypto dynamic-map inside_map_dynamic 4 set security-association lifetime seconds 28800
crypto dynamic-map inside_map_dynamic 4 set security-association lifetime kilobytes 4608000
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map CSM_BT-Fibre_map 1 match address CSM_IPSEC_ACL_5
crypto map CSM_BT-Fibre_map 1 set peer <deleted> 
crypto map CSM_BT-Fibre_map 1 set ikev1 transform-set ESP-AES-256-MD5
crypto map CSM_BT-Fibre_map 1 set security-association lifetime seconds 608400
crypto map CSM_BT-Fibre_map 1 set security-association lifetime kilobytes 104857600
crypto map CSM_BT-Fibre_map 1 set reverse-route
crypto map CSM_BT-Fibre_map 2 match address CSM_IPSEC_ACL_3
crypto map CSM_BT-Fibre_map 2 set peer <deleted>
crypto map CSM_BT-Fibre_map 2 set ikev1 transform-set ESP-AES-256-MD5
crypto map CSM_BT-Fibre_map 2 set security-association lifetime seconds 608400
crypto map CSM_BT-Fibre_map 2 set security-association lifetime kilobytes 104857600
crypto map CSM_BT-Fibre_map 2 set reverse-route
crypto map CSM_BT-Fibre_map 3 match address CSM_IPSEC_ACL_1
crypto map CSM_BT-Fibre_map 3 set peer <deleted>
crypto map CSM_BT-Fibre_map 3 set ikev1 transform-set ESP-AES-256-MD5
crypto map CSM_BT-Fibre_map 3 set security-association lifetime seconds 608400
crypto map CSM_BT-Fibre_map 3 set security-association lifetime kilobytes 104857600
crypto map CSM_BT-Fibre_map 3 set reverse-route
crypto map CSM_BT-Fibre_map 4 match address CSM_IPSEC_ACL_4
crypto map CSM_BT-Fibre_map 4 set peer <deleted> 
crypto map CSM_BT-Fibre_map 4 set ikev1 transform-set ESP-AES-256-MD5
crypto map CSM_BT-Fibre_map 4 set security-association lifetime seconds 608400
crypto map CSM_BT-Fibre_map 4 set security-association lifetime kilobytes 104857600
crypto map CSM_BT-Fibre_map 4 set reverse-route
crypto map CSM_BT-Fibre_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map CSM_BT-Fibre_map interface BT-Fibre
crypto map inside_map0 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map0 interface inside
crypto ca trustpoint ca-1.domain.com
 enrollment terminal
 fqdn none
 crl configure
crypto ca trustpoint _SmartCallHome_ServerCA
 fqdn none
 crl configure
crypto ca trustpoint ASDM_TrustPoint0
 enrollment terminal
 fqdn sslc.domain.com
 subject-name CN=sslc.domain.com
 keypair sslc.general.keypair
 crl configure
crypto ca trustpool policy
crypto ca certificate chain ca-1.domain.com
 certificate ca 46c9e18ab87207894e7a064e91a24622
 <deleted>
  quit
crypto ca certificate chain _SmartCallHome_ServerCA
 certificate ca 6ecc7aa5a7032009b8cebcf4e952d491
  <deleted>
  quit
crypto ca certificate chain ASDM_TrustPoint0
 certificate 61ad9adf000000000125
  <deleted>
  quit
crypto isakmp identity address 
crypto ikev2 policy 1
 encryption aes-256
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 10
 encryption aes-192
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 20
 encryption aes
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 30
 encryption 3des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 40
 encryption des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 enable inside client-services port 443
crypto ikev2 enable BT-Fibre client-services port 443
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
crypto ikev1 enable inside
crypto ikev1 enable BT-Fibre
crypto ikev1 am-disable
crypto ikev1 ipsec-over-tcp port 10000 
crypto ikev1 policy 10
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 75
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto ikev1 policy 95
 authentication pre-share
 encryption 3des
 hash sha
 group 5
 lifetime 86400
telnet timeout 5
ssh scopy enable
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 60
ssh version 2
console timeout 0
management-access inside
no vpn-addr-assign dhcp
vpn-addr-assign local reuse-delay 5

dhcpd dns 10.201.253.41 192.168.53.42
dhcpd wins 10.201.253.41 192.168.53.42
dhcpd domain domain.com
!
priority-queue inside
  queue-limit   1562
  tx-ring-limit 16
threat-detection basic-threat
threat-detection scanning-threat shun except ip-address 10.0.0.0 255.0.0.0
threat-detection scanning-threat shun except ip-address 192.168.0.0 255.255.0.0
threat-detection statistics host number-of-rate 3
threat-detection statistics port number-of-rate 3
threat-detection statistics protocol number-of-rate 3
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 5 burst-rate 100 average-rate 50
ntp server 192.168.53.43 source inside prefer
ntp server 192.168.53.42 source inside
ssl server-version tlsv1
ssl trust-point ASDM_TrustPoint0 inside
ssl trust-point ASDM_TrustPoint0 BT-Fibre
webvpn
 enable inside
 enable BT-Fibre
 csd image disk0:/csm/csd_3.6.6210-k9.pkg
 csd hostscan image disk0:/csm/hostscan_3.0.08066-k9.pkg
 csd enable
 anyconnect image disk0:/csm/anyconnect-win-3.1.01065-k9.pkg 12
 anyconnect image disk0:/csm/anyconnect-linux-3.1.01065-k9.pkg 22
 anyconnect image disk0:/csm/anyconnect-linux-64-3.1.01065-k9.pkg 32
 anyconnect image disk0:/csm/anyconnect-macosx-i386-3.1.01065-k9.pkg 42
 anyconnect profiles sslc.domain.com disk0:/csm/sslc.domain.com.xml
 anyconnect enable
 tunnel-group-list enable
group-policy DfltGrpPolicy attributes
 wins-server value 192.168.53.42 10.201.253.41
 dns-server value 192.168.53.42 10.201.253.41
 vpn-tunnel-protocol ikev1 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Vestry-Full
 default-domain value domain.com
group-policy Vestry-TV internal
group-policy Vestry-TV attributes
 wins-server value 10.201.253.41 192.168.53.42
 dns-server value 10.201.253.41 192.168.53.42
 vpn-access-hours value 247
 vpn-simultaneous-logins 2
 vpn-tunnel-protocol ssl-client ssl-clientless
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Vestry-TV
 default-domain value domain.com
 split-dns value domain.com
 webvpn
  anyconnect keep-installer installed
  anyconnect profiles value sslc.domain.com type user
  anyconnect ask none default anyconnect
group-policy Vestry-Tun internal
group-policy Vestry-Tun attributes
 wins-server value 10.201.253.41 192.168.53.42
 dns-server value 10.201.253.41 192.168.53.42
 vpn-access-hours value 247
 vpn-simultaneous-logins 2
 vpn-tunnel-protocol ssl-client ssl-clientless
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Vestry-Full
 default-domain value domain.com
 split-dns value domain.com
 webvpn
  anyconnect keep-installer installed
  anyconnect profiles value sslc.domain.com type user
  anyconnect ask none default anyconnect
group-policy Vestry-Full internal
group-policy Vestry-Full attributes
 wins-server value 192.168.53.42 192.168.53.43
 dns-server value 192.168.53.42 192.168.53.43
 vpn-access-hours value 247
 vpn-simultaneous-logins 2
 vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Vestry-Full
 default-domain value domain.com
 split-dns value domain.com
 split-tunnel-all-dns enable
 webvpn
  url-list value Vestry
  anyconnect keep-installer installed
  anyconnect profiles value sslc.domain.com type user
  anyconnect ask none default webvpn
  customization value Names
username  <deleted> password  <deleted> encrypted privilege 15
tunnel-group DefaultRAGroup webvpn-attributes
 nbns-server 192.168.53.43 timeout 2 retry 2
 nbns-server 192.168.53.42 timeout 2 retry 2
tunnel-group DefaultWEBVPNGroup webvpn-attributes
 nbns-server 192.168.53.43 timeout 2 retry 2
 nbns-server 192.168.53.42 timeout 2 retry 2
tunnel-group  <deleted> type ipsec-l2l
tunnel-group  <deleted> ipsec-attributes
 ikev1 pre-shared-key *****
tunnel-group  <deleted> type ipsec-l2l
tunnel-group  <deleted> ipsec-attributes
 ikev1 pre-shared-key *****
tunnel-group Vestry-Full type remote-access
tunnel-group Vestry-Full general-attributes
 address-pool Vestry-VPN-Pool-Range
 ipv6-address-pool AnyConnect-ipv6pool
 authentication-server-group Vestry-LDAP
 default-group-policy Vestry-Full
 password-management
tunnel-group Vestry-Full webvpn-attributes
 customization Names
 nbns-server 192.168.53.43 timeout 2 retry 2
 nbns-server 192.168.53.42 timeout 2 retry 2
 group-alias Names-Full enable
tunnel-group  <deleted> type ipsec-l2l
tunnel-group  <deleted> ipsec-attributes
 ikev1 pre-shared-key *****
tunnel-group  <deleted> type ipsec-l2l
tunnel-group  <deleted> ipsec-attributes
 ikev1 pre-shared-key *****
no tunnel-group-map enable ou
no tunnel-group-map enable ike-id
no tunnel-group-map enable peer-ip
!
class-map global-class
 match port udp eq domain
class-map CSM_CLASS_MAP_http_1
 match port tcp eq www
class-map inspection_default
 match default-inspection-traffic
class-map flow_export_class
 match access-list flow_export_acl
class-map global-class1
 match port tcp eq domain
class-map global-class2
 match port tcp eq www
class-map global-class3
 match any
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 4096
policy-map CSM_POLICY_MAP_global_1
 class CSM_CLASS_MAP_http_1
  inspect http 
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect ip-options 
  inspect netbios 
  inspect pptp 
  inspect rsh 
  inspect rtsp 
  inspect sip  
  inspect skinny  
  inspect sqlnet 
  inspect sunrpc 
  inspect tftp 
  inspect xdmcp 
  inspect icmp 
 class global-class
  set connection timeout half-closed 0:05:00 idle 0:05:00 reset dcd 0:10:00 5 
 class global-class1
  set connection timeout half-closed 0:05:00 idle 0:05:00 reset dcd 0:10:00 5 
 class global-class2
  set connection timeout half-closed 0:05:00 idle 0:10:00 reset dcd 0:15:00 5 
 class global-class3
  set connection embryonic-conn-max 50 per-client-embryonic-max 10 
  set connection timeout half-closed 0:05:00 idle 1:00:00 reset dcd 0:15:00 5 
 class flow_export_class
  set connection random-sequence-number disable
  set connection timeout embryonic 0:00:00 half-closed 0:00:00 idle 0:00:00 
!
service-policy CSM_POLICY_MAP_global_1 global
prompt hostname 
call-home reporting anonymous
hpm topN enable
Cryptochecksum:35377275f70d127b9b47e806b3898153
: end
asdm image disk0:/asdm-701.bin
asdm location v-xwiki-01 255.255.255.255 inside
asdm location v-mailbox-4 255.255.255.255 inside
asdm location v-astaro 255.255.255.255 inside
asdm location v-mailbox-3 255.255.255.255 inside
asdm location v-mailbox-5 255.255.255.255 inside
asdm location v-exchange-haproxy 255.255.255.255 inside
asdm history enable

Open in new window


I'm stumped by this...
Avatar of ryan80
ryan80

wish i could help, but i am not brave enough to put that on my ASA's.
ASKER CERTIFIED SOLUTION
Avatar of asavener
asavener
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of ArneLovius

ASKER

the description fits exactly

I checked with bug toolkit, but didn't think to look for old bugs....
You may want to open a TAC case.
I've already opened one, but as it's not service affecting and I'm about to go on holiday for three weeks...

anyway, rather than leave this open for three weeks, I'll close it with the points to you
For anyone else experiencing this, the bug ID is CSCud21307

It would appear that I was the first person to report this :-)
Turns out you need to enable Inspection of Both ICMP and ICMP ERROR traffic.

      policy-map global_policy
        class inspection_default
          inspect icmp
          inspect icmp error

If you just inspect the ICMP Error traffic your TraceRoutes work, but they all give the same address issue you have.  When you enable the inspection of ICMP (not error) then it will give back what you expect.

Try this out.  If it works please mark me as the solution.

Thanks,
David
I already have the solution as per the bug that I posted...

As per my original config, ICMP inspection was already enabled, it needed error inspection as well.