Cisco ASA 5500 Allowing Tracert

KB ID 0000753

Problem

I’d always assumed that as Tracert uses ICMP, and that simply adding ICMP inspection on the ASA would let Tracert commands work. A client of mine is having some comms problems and wanted to test comms from his remote DR site, he had enabled time-exceeded and unreachable on the ASA (for inbound traffic) and that had worked. I checked the default inspection map and found inspect ICMP was there?

As it turns out Tracert does NOT NEED ICMP inspection, though there are a few tweaks you need to do to make it run correctly.

Solution

1. From a Windows client if I try and Tracert to an external IP address, this is what I would see.

2. My first task is to get the ASA itself to reply to me, unlike most network devices the ASA does not decrease the ‘hop count’ as traffic passes through it, to rectify this we need to make a small change to the global inspection policy like so;

[box]

Sent username "pix"
Type help or '?' for a list of available commands.
Petes-ASA>
Petes-ASA> enable
Password: *******
Petes-ASA# configure terminal
Petes-ASA(config)# policy-map global_policy
Petes-ASA(config-pmap)# class class-default
Petes-ASA(config-pmap-c)# set connection decrement-ttl
Petes-ASA(config-pmap-c)# exit
Petes-ASA(config-pmap)# exit
Petes-ASA(config)#

[/box]

3. Now when we re-run our Tracert we see the ASA now responds, nothing else does though, to rectify that we need to allow IN some ICMP traffic.

4. Before you can add an ACL you need to see if you already have one. We are applying an ACL to the outside interface for traffic going in (I call this inbound for obvious reasons). To see if you already have an ACL applied, issue the following command;

[box]

Petes-ASA# show run access-group
 access-group inbound in interface outside
 access-group outbound in interface inside

[/box]

Note: In the example above we have an ACL called inbound that we MUST use. (If you added a new one, all the access list entries for the old one get ‘Un-applied’). If yours has a different name (e.g. outside_access_in then use that instead of the ACL name I’m using here). If you DONT have an access-group entry for inbound traffic then we will do that at the end!

5. At this point you should know if you have an ACL, mines called inbound so I need to add two lines to it like so;

[box]

Petes-ASA(config)# access-list inbound extended permit icmp any any time-exceeded
 Petes-ASA(config)# access-list inbound extended permit icmp any any unreachable

[/box]

Then: Only carry out the following command if you DO NOT HAVE an ACL applied for incoming traffic.

[box]

Petes-ASA(config)# access-group inbound in interface outside

[/box]

6. Try your Tracert again.

7. Don’t forget to save the changes on the ASA.

[box]

 

Petes-ASA(config)# write mem
Building configuration…
Cryptochecksum: b984ffbc dd77cdbf f2cd8d86 0b8f3f96

3965 bytes copied in 1.490 secs (3965 bytes/sec)
[OK]

[/box]

Related Articles, References, Credits, or External Links

Cisco Firewalls and PING

Cisco ASA – I Cannot Ping External Addresses? (Troubleshooting ICMP)

KB ID 0000914 

Problem

Considering we use ICMP to test connectivity, the fact that it is not a stateful protocol can be a major pain! Last week one of my colleagues rang me up and said, “Can you jump on this firewall, I’ve got no comms, and I cant ping external IP addresses. I can ping the internet from the firewall and I can ping internal IP addresses form the firewall”.

Solution

1. Before we start, lets get the basics out of the way, does the client you are pinging from have a firewall turned on? Can you ping the inside interface of the firewall?

2. Pinging will never work unless you have ICMP inspection turned on on the firewall. See the following article.

Cisco Firewalls and PING

Using Packet-Tracer to Test Ping/ICMP

3. At this point we troubleshoot as we would for any other traffic through the firewall. To do this we use packet-tracer, the syntax is slightly different for ICMP, than it is for TCP and UDP though. We need to specify an ICMP Type and an ICMP code, to make sure the traffic leaves the firewall we trace ICMP type 8 (echo), with ICMP code 0 (none). And ICMP type 0 (Echo-reply), with ICMP code 0 (none), for traffic inbound.

ICMP Types and Codes

[box]

Test Outbound Ping

Petes-ASA# packet-tracer input inside icmp 192.168.1.1 8 0 4.2.2.2

Testing Inbound Ping (where 123.123.123.123 is the public IP you are mapped to)

Petes-ASA# packet-tracer input outside icmp 4.2.2.2 0 0 123.123.123.123

[/box]

Note: You need to use the public addresses or this will happen.

4. Make sure the client you are on is getting NATTED or PATTED through the firewall. Below we will assume my internal IP address is 192.168.1.1.

Note: If you have names enabled and 192.168.1.1 has a name, you will get no results! issue a no names command from configure terminal mode to check.

[box]

Petes-ASA# show xlate | incl 192.168.1.1

If this machine was being NATTED to another public IP address it would look like..

NAT from inside:192.168.1.1 to outside:123.123.123.124

If this machine was being PATTED to a public IP address it would look like..

ICMP PAT from inside:192.168.1.1/1 to outside:123.123.123.123/1 flags ri idle 0:00:07 timeout 0:00:30

[/box]

If it fails at this stage then check you network translation configuration on the firewall.

5. If all appears normal so far you can capture the traffic as it passes though the firewall, below I’m successfully capturing the ICMP traffic though the firewall.

[box]

Petes-ASA# configure terminal
Petes-ASA(config)# capture capout interface inside match icmp host 192.168.1.1 any
Petes-ASA(config)# capture capin interface outside match icmp host 4.2.2.2 any

At this point attempt to ping, so some traffic is captured

Petes-ASA(config)# show capture capout

8 packets captured

1: 12:56:51.089244 192.168.1.1 > 4.2.2.2: icmp: echo request
2: 12:56:51.104410 4.2.2.2 > 192.168.1.1: icmp: echo reply
3: 12:56:52.092829 192.168.1.1 > 4.2.2.2: icmp: echo request
4: 12:56:52.108926 4.2.2.2 > 192.168.1.1: icmp: echo reply
5: 12:56:53.098688 192.168.1.1 > 4.2.2.2: icmp: echo request
6: 12:56:53.113809 4.2.2.2 > 192.168.1.1: icmp: echo reply
7: 12:56:54.105463 192.168.1.1 > 4.2.2.2: icmp: echo request
8: 12:56:54.120263 4.2.2.2 > 192.168.1.1: icmp: echo reply

Petes-ASA(config)# show capture capin

8 packets captured

1: 12:57:28.170981 123.123.123.123 > 4.2.2.2: icmp: echo request
2: 12:57:28.185949 4.2.2.2 > 123.123.123.123: icmp: echo reply
3: 12:57:29.175238 123.123.123.123 > 4.2.2.2: icmp: echo request
4: 12:57:29.190084 4.2.2.2 > 123.123.123.123: icmp: echo reply
5: 12:57:30.180212 123.123.123.123 > 4.2.2.2: icmp: echo request
6: 12:57:30.195500 4.2.2.2 > 123.123.123.123: icmp: echo reply
7: 12:57:31.186101 123.123.123.123 > 4.2.2.2: icmp: echo request
8: 12:57:31.201680 4.2.2.2 > 123.123.123.123: icmp: echo reply
8 packets shown

[/box]

Note: If your capout capture looks like the following, then you didn’t have inspect icmp enabled on your policy-map.

[box]

Petes-ASA(config)# show capture capout

4 packets captured

1: 13:02:33.285309 192.168.1.1 > 4.2.2.2: icmp: echo request
2: 13:02:37.886596 192.168.1.1 > 4.2.2.2: icmp: echo request
3: 13:02:42.886672 192.168.1.1 > 4.2.2.2: icmp: echo request
4: 13:02:47.888198 192.168.1.1 > 4.2.2.2: icmp: echo request
4 packets shown

[/box]

How Do I Clear or Delete a Cisco ASA Capture?

[box]

To clear a Capture, but leave it running;

Petes-ASA(config)# clear capture capin
Petes-ASA(config)# clear capture capout
Petes-ASA(config)# show capture capin

0 packet captured

0 packet shown
Petes-ASA(config)# show capture capout

0 packet captured

0 packet shown

To Delete a Capture;

Petes-ASA(config)# no capture capout
Petes-ASA(config)# no capture capin  

[/box]

Related Articles, References, Credits, or External Links

Cisco Firewalls and PING

Cisco ASA 5500 Allowing Tracert