I. Overview:
By default, ASA does not respond to TTL exceeded packets, so Traceroute/tracert does not see the ASA device, and Traceroute/tracert cannot traverse the firewall because of firewall policy restrictions.
Two. Basic ideas:
Depending on how the Traceroute/tracert is handled, determine why it is not possible to traverse the firewall, thereby releasing the corresponding firewall policy:
A.windows Host:
Windows host tracert command, issuing ICMP request package, starting from ttl=1, hop TTL plus 1, three packets per hop, intermediate device reply ICMP type Code 0 TTL timeout ICMP packet, destination device reply ICMP reply package. ----If ICMP audit is turned on, although the ICMP reply packets from the intranet can be returned normally, the ICMP packets with a TTL timeout do not return properly, requiring policy release.
B.linux, network equipment:
Linux, network device traceroute command, issuing UDP packets, the first packet destination port is 33434, starting from Ttl=1, each TTL will send three packets, hop TTL plus 1,UDP destination port each package will add 1, intermediate device reply ICMP type ICMP packets with a TTL timeout of 11, and the destination device responds to ICMP packets with ICMP Type 3 Code 3 ports unreachable.
----Linux, network device traceroute default support 30 hops, three UDP packets per hop, so the UDP destination port is 33434~33434+30*3-1, that is 33434~33523
----If you traceroute from the High security zone of the firewall to the Low security zone, you need to release ICMP packets with TTL timeout and Port unreachable
----If you traceroute from the Low security zone of the firewall to the High security zone, you only need to release the starting UDP packet, the target port from 33434~33523
Three. Firewall Policy settings:
A. From the High security zone to the Low security zone
---like from inside to outside.
①asa device reply TTL timeout class-map all_ip match any policy-map Global_policy class All_ip set connection Decrement-ttl
② Global Open ICMP review
Policy-map Global_policy class Inspection_default
Inspect ICMP inspect ICMP error//* this does not understand exactly what the role of the case
③ Firewall Policy:
Access-list outside_access_in remark ICMP type for Windows Traceroute access-list outside_access_in Extended Permit ICM P any of time-exceeded access-list outside_access_in remark ICMP Type 3 for Cisco and Linux access-list outside_access_in Extended permit ICMP any no unreachable access-group outside_access_in in interface outside
④ adjust the rate of ICMP unreachable
Ciscoasa (config) #icmp unreachable rate-limit burst-size 5
!---Adjust ICMP unreachable replies:
!---the Defau LT is rate-limit 1 burst-size 1.
! ---the default would result in timeouts for the ASA hop:
B. From the Low security zone to the High security zone:
----For example, from outside to inside (if the Internet Border Firewall is not recommended for configuration)
①asa Device reply TTL timeout
Ditto.
② Release Initial Flow
1. Release ICMP echo traffic for Windows host
Access-list outside_access_in permit ICMP any any echo
ICMP echo package in----ACL, equivalent to ICMP echo request package
2. For Linux and network equipment release UDP traffic
Access-list outside_access_in remark Tracert from outside
Access-list outside_access_in permit UDP Any any of range 33434 33523
Access-group outside_access_in in interface outside
----because ICMP Echo and udp33434~33523 are released, it is not possible to avoid outside zone devices using them for DOS or DDoS attacks on devices in the inside zone, so if the Internet Border Firewall is not necessary to open If you are a firewall between different security zones within your company, you can determine whether or not to release it as needed.
This article comes from "Httpyuntianjxxll.spac" blog, please be sure to keep this source http://333234.blog.51cto.com/323234/1221671