Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations wOOdy-Soft on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Cannot run tracert behind ASA
- Thread starter danno74
- Start date
- Thread starter
- #3
- Thread starter
- #4
- Thread starter
- #6
Sorry, I'm fairly new to this within the last year, so bear with me.
The only group settings in the show run are the following:
tunnel-group (where each peer is listed)
isakmp policy 1 group 2
isakmp policy 2 group 2
isakmp policy 3 group 1
group-lock none
group-policy DfltGrpPolicy attributes (bunch listed under that indented)
That's it.
I might not have a outside ACL group setup. Can I just enter what you have above, or does it need a group name?
The only group settings in the show run are the following:
tunnel-group (where each peer is listed)
isakmp policy 1 group 2
isakmp policy 2 group 2
isakmp policy 3 group 1
group-lock none
group-policy DfltGrpPolicy attributes (bunch listed under that indented)
That's it.
I might not have a outside ACL group setup. Can I just enter what you have above, or does it need a group name?
- Thread starter
- #8
I get this error, must not translate over to the ASA:
mmri-asa-01(config)# access-list outside_in permit icmp any host any time-exce$
access-list outside_in permit icmp any host any time-exceeded
^
ERROR: % Invalid input detected at '^' marker.
mmri-asa-01(config)#
mmri-asa-01(config)# access-list outside_in permit icmp any host any time-exce$
access-list outside_in permit icmp any host any time-exceeded
^
ERROR: % Invalid input detected at '^' marker.
mmri-asa-01(config)#
- Thread starter
- #9
I get this error, must not translate over to the ASA:
asa-01(config)# access-list outside_in permit icmp any host any time-exce$
access-list outside_in permit icmp any host any time-exceeded
^
ERROR: % Invalid input detected at '^' marker.
asa-01(config)#
asa-01(config)# access-list outside_in permit icmp any host any time-exce$
access-list outside_in permit icmp any host any time-exceeded
^
ERROR: % Invalid input detected at '^' marker.
asa-01(config)#
- Thread starter
- #10
This is what another tech told me to do:
access-list outside-acl extended permit icmp any any echo-reply
access-list outside-acl extended permit icmp any any time-exceeded
access-list outside-acl extended permit icmp any any unreachable
access-group outside-acl in interface outside.
I did this but then he told me there was a problem:
Please issue the following command:
show sysopt
It appears that you don’t have the following enabled:
sysopt connection permit-ipsec
This command bypasses ACLs for IPSec traffic. In fact please delete the command: “access-group outside-acl in interface Outside” until this is done. Otherwise, new tunnels will be unable to form.
I told him he lost me...
access-list outside-acl extended permit icmp any any echo-reply
access-list outside-acl extended permit icmp any any time-exceeded
access-list outside-acl extended permit icmp any any unreachable
access-group outside-acl in interface outside.
I did this but then he told me there was a problem:
Please issue the following command:
show sysopt
It appears that you don’t have the following enabled:
sysopt connection permit-ipsec
This command bypasses ACLs for IPSec traffic. In fact please delete the command: “access-group outside-acl in interface Outside” until this is done. Otherwise, new tunnels will be unable to form.
I told him he lost me...
- Thread starter
- #11
Supergrrover
IS-IT--Management
danno,
Give this a try.
Make an object group (looks nicer than so many ACL lines)
object-group icmp-type icmp_messages
description ICMP group type to include PING responses
icmp-object echo-reply
icmp-object unreachable
icmp-object time-exceeded
fixup protocol icmp error (allows NATing of icmp error messages)
access-list outside-in extended permit icmp any host [External IP] object-group icmp_messages
access-group outside-in in interface outside
I tested this and it works on my ASA. Hope this helps
Brent
Systems Engineer / Consultant
CCNP
Give this a try.
Make an object group (looks nicer than so many ACL lines)
object-group icmp-type icmp_messages
description ICMP group type to include PING responses
icmp-object echo-reply
icmp-object unreachable
icmp-object time-exceeded
fixup protocol icmp error (allows NATing of icmp error messages)
access-list outside-in extended permit icmp any host [External IP] object-group icmp_messages
access-group outside-in in interface outside
I tested this and it works on my ASA. Hope this helps
Brent
Systems Engineer / Consultant
CCNP
NetworkGhost
IS-IT--Management
Supergrrover's post should work for you. Is this traffic coming through a tunnel? On the Pix and ASAs applying a access-list to an interface does not kill ipsec connections for that interface. They are implied allows if enabled unlike routers.
Hello,
Supergrrover is good but just a tip it it don't work:
replace:
access-list outside-in extended permit icmp any host [External IP] object-group icmp_messages
by :
access-list outside-in extended permit icmp any host [External NAT IP(s)] object-group icmp_messages
My best regards
CHOUM
PIX 501/515
ASA 5510
Supergrrover is good but just a tip it it don't work:
replace:
access-list outside-in extended permit icmp any host [External IP] object-group icmp_messages
by :
access-list outside-in extended permit icmp any host [External NAT IP(s)] object-group icmp_messages
My best regards
CHOUM
PIX 501/515
ASA 5510
- Status
Similar threads