OUTSIDE_IN -> |outside Interface |
|outside Interface| -> OUTSIDE_OUT
!– allow traceroute return packets
!– allow traceroute return packets
!– allow pings across firewall
!– allow pings across firewall
access-list OUTSIDE_IN extended permit icmp any any unreachable
access-list OUTSIDE_IN extended permit icmp any any time-exceeded
access-list OUTSIDE_IN extended permit icmp any any echo
access-list OUTSIDE_IN extended permit icmp any any echo-reply
! Egress ACL: permit ping packets
access-list OUTSIDE_OUT extended permit icmp any any echo
access-list OUTSIDE_OUT extended permit icmp any any echo-reply
!–to allow ASA to ping to any destination but not to respond to ping:
icmp permit any echo-reply outside
!– allow ASA to perform traceroute and to accept pMTU messages
# icmp permit any time-exceeded outside
# icmp permit any unreachable outside
#debug icmp trace
ICMP echo request from inside:150.1.2.2 to outside:136.1.123.12 ID=16 seq=0 len=72
ICMP echo request translating inside:150.1.2.2 to outside:136.1.123.33
ICMP echo request from inside:150.1.2.2 to outside:136.1.123.12 ID=16 seq=1 len=72
ICMP echo request translating inside:150.1.2.2 to outside:136.1.123.33
ASA3# sh xlate
1 in use, 2 most used
Flags: D – DNS, e – extended, I – identity, i – dynamic, r – portmap,
s – static, T – twice, N – net-to-net
ICMP PAT from any:150.1.2.2/16 to any:136.1.123.33/16 flags ri idle 0:00:29 timeout 0:00:30
Example:
ACL No one can ping firewall but firewall can ping out on all interfaces.
Firewall responds to traceroute and pMTU discovery:
icmp permit any echo-reply outside
icmp permit any time-exceeded outside
icmp permit any unreachable outside
icmp permit any echo-reply inside
icmp permit any time-exceeded inside
icmp permit any unreachable inside
icmp permit any echo-reply dmz1
icmp permit any time-exceeded dmz1
icmp permit any unreachable dmz1
icmp permit any echo-reply dmz2
icmp permit any time-exceeded dmz2
icmp permit any unreachable dmz2
##### A bit of theory #####
The traceroute command is used to discover the routes that packets actually take when traveling to their destination. The device sends out a sequence of User Datagram Protocol (UDP) datagrams to an invalid port address at the remote host.
Three datagrams are sent, each with a Time-To-Live (TTL) field value set to one. The TTL value of 1 causes the datagram to “timeout” as soon as it hits the first router in the path; this router then responds with an ICMP Time Exceeded Message (TEM) indicating that the datagram has expired.
Another three UDP messages are now sent, each with the TTL value set to 2, which causes the second router to return ICMP TEMs. This process continues until the packets actually reach the other destination.
Since these datagrams are trying to access an invalid port at the destination host, ICMP Port Unreachable Messages are returned, indicating an unreachable port; this event signals the Traceroute program that it is finished.
The purpose behind this is to record the source of each ICMP Time Exceeded Message to provide a trace of the path the packet took to reach the destination
For IPv4 packets, Path MTU Discovery works by setting the Don’t Fragment (DF) option bit in the IP headers of outgoing packets. Then, any device along the path whose MTU is smaller than the packet will drop it, and send back an Internet Control Message Protocol (ICMP) Fragmentation Needed (Type 3, Code 4) message containing its MTU, allowing the source host to reduce its Path MTU appropriately. The process is repeated until the MTU is small enough to traverse the entire path without fragmentation.
IPv6 routers do not support fragmentation or the Don’t Fragment option. For IPv6, Path MTU Discovery works by initially assuming the path MTU is the same as the MTU on the link layer interface through which the traffic is being sent. Then, similar to IPv4, any device along the path whose MTU is smaller than the packet will drop the packet and send back an ICMPv6 Packet Too Big (Type 2) message containing its MTU, allowing the source host to reduce its Path MTU appropriately. The process is repeated until the MTU is small enough to traverse the entire path without fragmentation.
The ping command uses a series of Internet Control Message Protocol (ICMP) Echo messages to determine:
– Whether a remote host is active or inactive.
– The round-trip delay in communicating with the host.
– Packet loss.
The ping command first sends an echo request packet to an address, then waits for a reply. The ping is
successful only if:
– the echo request gets to the destination, and
– the destination is able to get an echo reply back to the source within a predetermined time called a
timeout. The default value of this timeout is two seconds on Cisco routers.
The TTL value of a ping packet cannot be changed.
################################################################
CCIE Security Blog 