Traceroute through ASA

I have an Avamar grid in our home office and another one in our disaster recovery site. On the Avamar grids we have two interfaces created (one for accessing internal servers and one for replication). On the ASA the physical interface associated with the "inside" network is split into two sub-interfaces. One sub-interface is the NIC associated with the internal network uses the normal "inside" interface to get to the Internet. The NIC associated with the replication network uses the other sub-interface and is a direct connection through our ISP to our disaster recovery site.
We're trying to work on a bandwidth issue with the replication and noticed that we're seeing dropped packets. I would like to be able to traceroute from the source Avamar grid to the target Avamar grid but can't get this to work through our ASA. If I traceroute from the NIC associated with the internal network to www.google.com traceroute works fine. If I do the same thing and specify the source IP as the IP address of the replication NIC on the source Avamar I see the first hop as the switch where the NIC on the Avamar grid is attached. After that I don't see anything other than "* * *".
I've allowed ICMP in general on both ends just to make sure that the issue isn't a wrong ICMP value being allowed (once this works I'll tighten it down). I've also verified that the global inspection rule is inspecting ICMP.
What am I missing to allow traceroute between the two sites?
Thanks.

Hello Jackson,
By default the ASA will not decrement the TTL value of an IP packet ( so it will be somehow transparent {Security Purposes}) but this can be changed by doing the following:
configure te
  policy-map global_policy
  class class-default
  set connection decrement-ttl
Regards,
Rate all of the helpful posts

Similar Messages

  • IP Phone SSL VPN through ASA

    Im in the middle of configuring Ip Phone SSL VPN through ASA, got stuck on authentication.. When I enter username and password on the phone screen, i get "Username and password failed" message on the screen. However, in ASA logs I see the following line
    Feb 16 2011    15:12:57    725002    85.132.43.67    52684            Device completed SSL handshake with client vpn:85.132.*.*/52684
    Feb 16 2011    15:17:26    725007    85.132.43.67    52745            SSL session with client vpn:85.132.*.*/52745 terminated.
    What does it mean?  How can I turn on debugging to see what is going on?
    Thank you in advance!

    Hi,
    If you're not using certificates in client authentication then the SSL handshake will complete before the user is requested to authenticate with username/password.  If this authentication request fails you will see the SSL session terminated immediately following this failure (as in the logs you provided).  Notice the 5 seconds between the SSL session establishment and termination, this is most likely when the user is being authenticated against the aaa server.  If the phone is failing authentication against an external aaa-server you'll want to investigate the logs on that server to determine the root cause of the failure.  The ASA can also provide confirmation of the authentication request/reject with the command 'show aaa-server'.  If you want to see what's going on at an authentication protocol level you can enable several debugs including "debug aaa authentication|common|internal' and protocol specific debugs such as 'debug radius user|session|all' or 'debug ldap'.
    Did this answer your question? If so, please mark it Answered!

  • GRE tunnel through asa no pptp, l2tp, ipsec

    Hello!
    can't understand how to configure GRE tunnel through ASA
    i have one router with public ip, connected to internet
    ASA 8.4 with public ip connected to internet
    router with private ip behind ASA.
    have only one public ip on ASA with /30 mask
    have no crypto
    have network behind ASA and PAT for internet users.
    can't nat GRE? cause only TCP/UDP nated(?)
    with packet-tracer i see flow already created but tunnel doesn't work

    A "clean" way would be to use a protocol that can be PATted. That could be GRE over IPSec. With that you have the additional benefit that your communication is protected through the internet.
    Don't stop after you've improved your network! Improve the world by lending money to the working poor:
    http://www.kiva.org/invitedby/karsteni

  • Traceroute in ASA

    Hi All,
    I have ASA 5502 in the gateway.
    When i issue the traceroute from the Inside or Outside network, Firewall is not appearing in the output. Even though the destination is reached successfully the Firewal is not appearing as a Hop.
    Any clues how to configure to make the Firewall to show it is also a hop in the path.
    Thanks in advance.
    R.B.Kumar

    R.B.
    In this link see Make the Firewall Show Up in a Traceroute in ASA/PIX section
    https://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml
    Regards

  • Tracing a route passing through ASA

    Hi Everyone,
    Need help on tracing a route IP 192.168.27.0  that is passing through ASA
    i did sh route on ASA
    S    192.168.27.0 255.255.255.0 [1/0] via 192.168.101.14, Xnet
    so this means that this ASA is learning this route statically through int Xnet  right ?
    when i do sh int on ASA  it shows Xnet as interface.
    what should be my next step?
    also i am able to ping this IP from ASA  but whne i do sh arp it does not show this IP 192.168.27.251 and mac address
    Thanks
    Mahesh
    Message was edited by: mahesh parmar

    So I presume you have ASA5550 or you have bought addiotional 4 GigabitEthernet module.
    When you look at the ASA from the side where the physical ports are
    The usual ports (without the module) should be in the Right side
    The modules ports should be on the Left side
    The module should contain 8 ports
    4 Ports are for SFP slots (usually for fiber connections)
    4 Ports are for basic Ethernet connectivity
    The configuration should have some line "media-type" which defines which type is used "rj45" of "sfp"
    rj45 for Ethernet
    sfp for SFP module
    So GigabitEthernet 1/2 port should be to my understanding either the Third Ethernet or Third SFP port of the module depending on the above port configuration mentioned (media-type rj45/sfp)
    The ports GigabitEthernet0/0 - x are the ports that are in every ASA, Ports GigabitEthernet1/0 - x are the expansion modules ports
    Hope this helps. Hopefully I remembered that right.
    - Jouni

  • Problem transfer TFTP through ASA 5505

    Hello,
    I have a problem with my ASA 5505, I am not able to transfer files bigger than 100ko using TFTP. Below my archiecture:
    CME<->ASA5505<->SW3650
    Here is what I get when I try to download a file located on the 3650 on my CME:
    CME#copy tftp flash
    Address or name of remote host [X.X.X.X]?
    Source filename [cmterm-7942_7962-sccp.9-3-1SR4-1[1].tar]?
    Destination filename [cmterm-7942_7962-sccp.9-3-1SR4-1[1].tar]?
    Accessing tftp://X.X.X.X/cmterm-7942_7962-sccp.9-3-1SR4-1[1].tar...
    Loading cmterm-7942_7962-sccp.9-3-1SR4-1[1].tar from 10.52.199.126 (via GigabitEthernet0/0): !... [timed out]
    Error reading tftp://10.52.199.126/cmterm-7942_7962-sccp.9-3-1SR4-1[1].tar (Connection timed out)
    When I look on the ASA monitoring page, I see that a UDP connection is built between the ASA and the SW3650 but 2 minutes later there are "Teardown UDP connection" messages.
    Can you please help me? Due to this transfer issue, I am not able to upgrade my IP Phones (the phones only download the first 2 files because there are smaller than 100ko).
    Thank you in advance for your help.
    Regards.
    Thomas.

    Default UDP connection time out is 2 minutes through the ASA.
    You can modify the timeout values for the specific flow from a particular source to destination . Try changing the default connection timeout of UDP
    ASA(config)# access-list CONNS permit udp host CME ip tftp serverip port
    ASA(config)# class-map CONNS
    ASA(config-cmap)#match access-list CONNS
    ASA(config)# policy-map CONNS
    ASA(config-pmap)# class CONNS
    ASA(config-pmap-c)# set connection timeout idle 00:30:00
    ASA(config)# service-policy CONNS {global | interface interface_name}
    you can also globally change the timeout value of UDP using:
    ASA(config)# timeout udp 00:30:00
    Reference: http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/conns_connlimits.html#wp1080774
    HTH
    "Please rate helpful posts"

  • How can we allow internal users to access internet through ASA firewall?

    Hello,
    I am new to security track, i have been asked to setup lab and allow users from inside firewall to access internet. here is my lab setup
    PC -> switch 1 (layer2) -> (inside) ASA (outside) -> switch 2 (Layer2) -> Router
    does switch 2 port needs internet access through router?
    what configuration required on ASA to allow users behind the firewall to access internet?
    any help on this would be much appreciated.
    thanks,

    Hi,
    Okay , can you clarify on this for me. Are you able to ping the internet from the ASA outside interface ?
    Just try something like this:-
    ping 4.2.2.2 .. Does this work ?
    If this does not work , then i think the ASA even is not able to get to the internet and that would be a problem on the router.
    Also , internet from Switch 2 is not a requirement as that is only a Layer 2 device.
    You can assign the ISP allocated address on the PC , connect it to the Switch 2 port and then try to ping something on the internet or surf internet and i think that should work.
    Thanks and Regards,
    Vibhor Amrodia

  • Cannot establish site-site vpn tunnel through ASA 9.1(2)

    Hi,
    We use ASA 9.1(2) to filter traffic in/out of our organisation. A dept within the organisation also have a firewall. They want to establish a site-site VPN tunnel with a remote firewall. We have allowed full access between the public address of the dept firewall and the remote firewall and full access between the remote firewall address and the dept firewall address . We do not use NAT.
    The site-site VPN tunnel fails to establish.
    The dept sysadmin has requested that we enable IPSec Passthrough. From my reading this will not make any difference as we allow full access between the firewalls in both directions. Is that correct?
    Has anyone encountered issues with ASA 9.1(2) interfering with site-site tunnels?
    Regards

    >The dept sysadmin has requested that we enable IPSec Passthrough. From my reading this will not make any difference as we allow full access between the firewalls in both directions. Is that correct?
    Yes, in that case, no IPsec-pass-through is needed. All you need is (in both directions):
    UDP/500
    UDP/4500 (also if you don't use NAT, the remote gateway could be located behind a NAT gateway)
    IP/50
    for testing ICMP/Echo
    If you allowed full IP-access between these two endpoints, it is more than enough.
    When they start testing, do you see a connection on your ASA. There should be at least UDP/500 traffic.
    Can the two gateways ping each other? 

  • AAA Authentication for Traffic Passing through ASA

    I am setting up AAA authentication for traffic that will pass through my ASA. I am having difficulty enabling 'aaa authentication secure-http-client'. Without secure communications enabled access functions as expected. When I enable access, I get prompted for a username/password. The username/password is entered. Authentication passes (show uauth). The requested page (http://www.cisco.com) switches to https://x.x.x.x (a resolved IP address for the site). Eventually (5 seconds), I am asked to accept or deny a certificated. Interestingly, the certificate is for the ASA and not the requested site (http://www.cisco.com).
    Am I missing something?
    firewall# show run aaa
    aaa authentication http console TACACS+ LOCAL
    aaa authentication telnet console TACACS+ LOCAL
    aaa authentication serial console TACACS+ LOCAL
    aaa authentication ssh console TACACS+ LOCAL
    aaa authentication enable console TACACS+ LOCAL
    aaa authentication match guestnetwork_access guestnetwork RADIUS
    aaa authentication secure-http-client
    firewall# show access-li guestnetwork_access
    access-list guestnetwork_access; 2 elements
    access-list guestnetwork_access line 1 extended deny udp 10.255.255.0 255.255.255.0 any eq domain (hitcnt=33)
    access-list guestnetwork_access line 2 extended permit ip 10.255.255.0 255.255.255.0 any (hitcnt=412)
    firewall# show run aaa-s
    aaa-server RADIUS protocol radius
    aaa-server RADIUS (inside) host 192.168.250.14
    key xxxxx
    firewall# show run http
    http server enable

    your definition for the aaa-server is different to the aaa authentication server-group
    try
    aaa authentication http console RADIUS LOCAL
    aaa authentication telnet console RADIUS LOCAL

  • Unable to open SMTP session through ASA 5512-X

    Hi All,
    Just doing some basic testing before we replace our ancient PIX 515E with a new 5512. I have a mini lab set up following the diagram below, although I am unable to telnet through to the mail server's netcat listener on port 25 TCP. I can ping all the way outbound from 192.168.101.1 to 10.0.0.2, and the 10.0.0.2 machine shows it is translated properly to 200.225.117.1.
    NAT and access rules are as follows:
    object network mail host 192.168.101.1 description Mail relayaccess-list inbound extended permit ip any host 200.225.117.1ASA# sh routeCodes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
           D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
           N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
           E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
           i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
           * - candidate default, U - per-user static route, o - ODR
           P - periodic downloaded static routeGateway of last resort is 72.38.1.2 to network 0.0.0.0
    C    192.168.100.0 255.255.255.0 is directly connected, inside
    C    72.38.1.0 255.255.255.0 is directly connected, outside
    C    192.168.101.0 255.255.255.0 is directly connected, dmz1
    S*   0.0.0.0 0.0.0.0 [1/0] via 72.38.1.2, outside
    Any ideas? I am also unable to ping the 200.225.117.1 machine with access list permitting IP.
    EDIT: Somehow the new global access rule is involved. When adding a permit any any in there I can get to the mail server no problem. When I remove it but leave in my permit ip any any on the outside interface, I am denied?!?!

    You can actually refer to the object in the access-list instead of the actual ip address.
    There is also a lot of more flexible NAT that you can configure, ie: both source and destination IP and ports being translation, etc.
    Here is the major changes which take place from version 8.3:
    http://www.cisco.com/en/US/docs/security/asa/asa83/release/notes/asarn83.html
    1) NAT
    2) Access-list
    3) Licensing if you have failover pair, doesn't need to be the same anymore.

  • Securely Access Exchange Server 2007 through ASA 5510 using Outlook

    Is there any way to access a MS Exchange Server 2007 on Windows server 2008 through an ASA 5510 running 8.4 with a full MS Outlook client (not using OWA - web browser)?  OWA is currently working fine but I was wondering if access via the full Outlook client is possible and more importantly...is it opening up too many ports on my 5510?  Any help is much appreciated!
    ~John

    Hi John,
    For that scenario, a remote access VPN is probably the best way to go (either the traditional IPSec client or SSL VPN/AnyConnect). This config guide lists your options on the ASA:
    http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/vpn_ike.html
    -Mike

  • Slow SFTP throughput when passed through ASA 55xx

    I have an interesting scenario. I have setup two test boxes for SFTP.  One in a DMZ behind an ASA inteface, and the other on our external switch. If I send a file to the one on the external switch, I get 40 Mbps on a transfer from a remote location. When I try the same transfer but using a machine in the same DMZ, I get 100 Mbps while connected to a FastEthernet switchport. When I try the same transfer from the remote location previously mentioned, to the same server even, but using SFTP, my throughput goes down to 670 KB/s.  I get that same low speed even on the machine on the external switch to the DMZ. It should be much faster since there is no latency involved. It just goes to the switch to the ASA interface to the SFTP server. I even tried this across two different ASA, same result. One was a 5505, the other a 5520. 
    So, it seems the only limiting factor here is the ASA.  Does anyone have any observations or suggestions that might help?
    Thanks!

    Sorry, I should have been more clear. The throughput is only reduced when the ASA is in the picture and SFTP is used. I can FTP to the same server, same application, just different protocol, and get full throughput. As soon as I select SFTP instead of FTP, the throughput drops dramatically.
    I know it is not the over head on the server, because I tested an SFTP transfer from a client machine on the same LAN, and got full throughput. It is only when going through the ASA that the SFTP throughput drops by a factor of 7

  • WMI query through ASA Firewall

    I'm a newbie - please be patient
    We have an ASA firewall that has several DMZ VLANs.
    A support company that responsible for the SQL Servers wants to use WMI to query server health.
    Their monitoring server currently on the internal lan, eight SQL servers on the internal lan and six of the SQL Servers are in the DMZ.
    Two of the SQL Servers in the DMZ are 2003x32 Standard Edition and four are 2008R2x64 Enterprise Edition
    The question is the ports that need to be open for Windows 2003 is concerningly large tcp/1025-65535, tcp/135
    What are everyone’s thoughts on opening up such a large range?
    Is there a better way of doing this – unfortunately getting the monitoring software rewritten is not an option and nor is going Linux
    Thanks
    PS - if this has already been asked can someone point me to the discussions

    Hi
    I would say that that is a No No
    But that depends on the environment, for some (most) i woulds say its not ok, but some might feel that they do not need that much security.
    WMI is a bit tough on firewalls.
    But there are ways to limit the ports used by WMI
    fx you can set it to use Fixed ports. and so on.
    Sure it makes the server guys a little less happy since it does not work from the start and they have to make some changes but the added security is well worth the fight.
    Here is a link to solarwinds for people with the same problem.and an answer that seems to work
    (i have not tested this) from ASH J Kent. (almost at the bottom)
    http://thwack.solarwinds.com/forums/68/application--server-management/21/server--application-monitor/16415/wmi-monitoring-through-firewal/
    Here is one from MSDN
    http://msdn.microsoft.com/en-us/library/windows/desktop/bb219447(v=vs.85).aspx
    Good luck
    HTH

  • DC and ADC Synchronization through ASA 5580

    Hi , I have a Windows 2008 server acing as DC connected to one of the interface of ASA 5580, and have couple of ADC in the branches which are connected to different interfaces of ASA.  The routing is happening through the ASA. When trying to do DCPROMO on the ADC it’s giving an error.  Natting is not there in the ASA and I have access-list configured for “Permit IP Any any ” for all interface.  Any clue wht could be the problem ?

    1) Please check the syslog to see if it's being blocked by the firewall.
    2) Run packet capture on both interfaces with ACL just between the DC and ADC:
    access-list cap-test permit ip host host
    access-list cap-test permit ip host host
    capture cap-DC access-list cap-test interface
    capture cap-ADC access-list cap-test interface
    Try the "DCPROMO", and check the packet capture to see where it is breaking.

  • SSLv3 through ASA

    Trying to establish a connection to a site using SSLv3 through my ASA 5520 Verison 7.2. The download of the data starts and just stops after a few seconds. I ran ethereal on my client and it is showing me "TCP segment lost" "TCP Dup ACK" and "TCP Fast Retransmission" errors during the conversation. My ASA is set to "SSL Client version any" which should negotiate any protocol. Any help would be appreciated and rated.
    Thanks!

    And you already checked it SSH is working on Server1? Can you SSH from Server2 to Server1?
    Don't stop after you've improved your network! Improve the world by lending money to the working poor:
    http://www.kiva.org/invitedby/karsteni

Maybe you are looking for

  • Apple TV Replacement Program For Australia

    Anyone aware of this program in Australia.

  • Cap6.  Error when clicking on Generate Audio with NeoSpeech voices

    These voices worked fine in version 5.5.  Now MS Sam is the only working voice.  Error message is: LOADTTS_ENG ERROR!! Any ideas?

  • Shared Mailboxes Send on Behalf

    I have created shared mailbox and Grant Send On Behalf permission for John. John sends email on behalf to shared mailbox but messages look like John send message himself (Send AS). But John have only Grant Send on Behalf permission not SendAS. Exchan

  • My pdf attachments are not readable

    Recently when I sent pdf attachments to people they are not readable. When I send the same pdf attachments through gmail they are. My smpt is on my server (not gmail). Any idea why this does not work? Thanks

  • Install RSS as Screensaver script

    I want the equivalent of a windows theme file for mac with rss as a screensaver. I have an rss feed; how can I bundle an executable file (automator, bash) to excute a 'System Preferences' -> 'Desktop - Screen Saver' -> '+' -> 'Add RSS Feed...' insert