topic ACL - Traceroute in Network Security

ACL - Traceroute

jeffkim.cisco — Tue, 12 Mar 2019 08:45:22 GMT

Wouldnt this ACL bring down the network?

Since internal-out ACL has deny any any at the end implicitly, this will allow only icmp going out?

ciscoasa#config t 
ciscoasa(config)#access-list internal-out permit icmp any any echo-reply 
ciscoasa(config)#access-list internal-out permit icmp any any time-exceeded 
ciscoasa(config)#access-list internal-out permit icmp any any unreachable 
ciscoasa(config)#policy-map global_policy 
ciscoasa(config-pmap)#class inspection_default 
ciscoasa(config-pmap-c)#
inspect icmp
 
ciscoasa(config-pmap-c)#
inspect icmp error
 
ciscoasa(config-pmap-c)#end 
ciscoasa(config)#service-policy global_policy global
ciscoasa(config)#access-group internal-out in interface outside

ciscoasa(config)#access-list internal-out permit icmp any any traceroute
or is this policy allowing traffic coming from outside to insdie?

access-group internal-out in

Rahul Govindan — Tue, 10 Jan 2017 02:54:11 GMT

access-group internal-out in interface outside

This means that this ACL is applied to traffic in the inbound direction on the outside interface (out to in traffic). In your example, you are adding the icmp types to allow traceroute replies from hosts ahead of the ASA. This wont kill all other traffic as tcp and udp traffic through the ASA is inspected by default. Any traffic flow (request and reply) that is inspected on its way out, is allowed to bypass ACL check on the way back. If you already have an ACL applied inbound on the outside interface, you should that these entries to that ACL.

ASA packet processing algorithm is explained here:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113396-asa-packet-flow-00.html

thank you

jeffkim.cisco — Tue, 10 Jan 2017 16:59:16 GMT

thank you