dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
1134
share rss forum feed

krock83

join:2010-03-02

ASA Traceroute from PC

Hi All,

I have configured my ASA to respond to traceroutes from remote hosts. However I hear that it is not a good practice to display the IP address of your ASA to the public. Prior to me configuring this my Traceroutes from my PC were not showing anything when the packet reached the ASA, it simmply skipped it. I know there is a way to configure the ASA to timeout when the packet reaches the ASA but I forgot how.. All documentation on ciscos site is leading me to how to confgure it to show the IP Address.

How can I get it to display this

1 1 ms 1 ms 1 ms 172.30.191.1
2 * * * Time out MY ASA
3 1 ms 1 ms 1 ms 172.30.254.1
4 2 ms 1 ms 1 ms 192.168.20.36
5 2 ms 1 ms 1 ms 192.168.20.1

Thanks
K


cramer
Premium
join:2007-04-10
Raleigh, NC
kudos:8

The "trick" the ASA (and PIX) does to hide itself is not decrementing the TTL for forwarded traffic. That's what you enable to decloak it. The behavior you want is not part of it's design. However, an ACL preventing the ASA from sending ICMP time exceeded messages would work -- be careful with that or you may block traceroute through it.

Also, it's a device on the internet (i.e. it has a public address), so you cannot hide it.


krock83

join:2010-03-02
reply to krock83

So in other words I would need to write an ACL to deny traceroute through the ASA ?


cramer
Premium
join:2007-04-10
Raleigh, NC
kudos:8

From the ASA itself toward the internet. A blanket "deny icmp time-exceeded" would do the trick; it would also stop traceroute from inside the ASA as well.


krock83

join:2010-03-02
reply to krock83

I did the following

  access-list outside-in-acl line 1 remark Allow ICMP Type 11 Windows tracert
  access-list outside-in-acl line 2 extended deny icmp any4 any4 time-exceede
 

I am still able to see the ASA's IP Address


DaSneaky1D
what's up
Premium,MVM
join:2001-03-29
The Lou

Check your rule placement. Deny first, then allow.


nosx

join:2004-12-27
00000
kudos:5
reply to krock83

The answer to this query has nothing to do with ACLs or blocking traffic:
Make the Firewall Show Up in a Traceroute in ASA/PIX 
ciscoasa(config)#class-map class-default
ciscoasa(config)#match any
!--- This class-map exists by default.
ciscoasa(config)#policy-map global_policy
!--- This Policy-map exists by default.
ciscoasa(config-pmap)#class class-default
!--- Add another class-map to this policy.
ciscoasa(config-pmap-c)#set connection decrement-ttl
!--- Decrement the IP TTL field for packets traversing the firewall.
!--- By default, the TTL is not decrement hiding (somewhat) the firewall.
 
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml

cramer
Premium
join:2007-04-10
Raleigh, NC
kudos:8

Getting the device to answer (decrement ttl) isn't the question. Getting to show as a dead hop in the path is what he wants. So, he needs BOTH a policy change as documented PLUS a rule to filter the self-generated ICMP message.

His issue is with *where* the ACL is attached... outside in is the wrong place. It's a packet generated by the firewall aimed at the internet. (i.e. an "outside-out-acl" -- a control-plane acl, but I don't think ASAs do that.)


nosx

join:2004-12-27
00000
kudos:5

Why in the world would you want to show up as a timed out hop in a traceroute? Either decrement the TTL and participate like a good compliant router or dont and be invisible.


cramer
Premium
join:2007-04-10
Raleigh, NC
kudos:8

We weren't asked "why", just "how".



TomS_
Git-r-done
Premium,MVM
join:2002-07-19
London, UK
kudos:5
reply to nosx

I never understood security people. Their whole job is to make everyone elses life harder.


aryoba
Premium,MVM
join:2002-08-22
kudos:4

said by TomS_:

I never understood security people. Their whole job is to make everyone elses life harder.

Depends on which security people you work with; some are up in the cloud while some are down to earth

krock83

join:2010-03-02
reply to krock83

this fixed the issue....

icmp unreachable rate-limit 1 burst-size 1
 

On the lder codes 8.2 and older this command was there by default but on 9.1(2) it is not.

and yes I agree Security People SUCK!!!!

Thanks for all the hints
K

Bink
Villains... knock off all that evil

join:2006-05-14
Castle Rock, CO
kudos:4
reply to krock83

FWIW, I try to always allow traceroute and ping. Yay for easy to troubleshoot networks and boo to questionable security-through-obscurity practices.