«

»

Feb 03

Traceroute through Cisco ASA Firewall

To allow traceroute through firewall needs configuration depending on the source of traceroute command.
Microsoft uses tracert command and  ICMP message types for traceroute (unreachable, time-exceeded, echo-reply). You will use following ACL entries to allow trace traffic to pass through the firewall. In the following example the inside interface is allow to reach hosts but outside hosts needs to specically allowed on outside interface due to security level differences.

To allow inside hosts to be visible to outside hosts use following
access-list acl-outside line 2 extended permit icmp any any echo

Following lines will make inside hosts visible to outside using taceroute
access-list acl-outside line 2 extended permit icmp any any echo-reply
access-list acl-outside line 2 extended permit icmp any any source-quench
access-list acl-outside line 2 extended permit icmp any any time-exceeded

Service policy on the firewall also needs to be updated to inspect ICMP traffic
policy-map global_policy
class inspection_default
inspect icmp
inspect icmp error

This is the default policy and should be already enabled if not then use following
service-policy global_policy global

Cisco uses traceroute command and uses UDP Port 33434 for trace to start with and then for every hop it adds 3 to port number. So the port range to allow Cisco Traceroute with max 30 hops the port range will be 33434+3*30=33524.

access-list acl-outside line 2 extended permit udp any any range 33434 33523

Now, the other issue you can face is tracert succeeding for firewalls doesn't list its own IP in tracert. For firewall IP address to appear in the tracert output use the following

class-map claass-ttl
class-map inspection_default
match default-inspection-traffic
class-map class-ttl
match any

 
policy-map global_policy
 class class-ttl
  set connection decrement-ttl
 

 

1 comment

  1. BOOZy

    Thanks, that woks.
    If you have upgraded from an earlier version of the PIX-OS, the inspect rules are still default (off), if it worked before, simply adding ‘inspect icmp’ and ‘inspect icmp error’ will fix it for you.

Leave a Reply

%d bloggers like this: