topic An acl is used to control in Network Security

ACL on Outside Interface not being hit

GRANT3779 — Tue, 12 Mar 2019 04:07:18 GMT

Hi All,

on my ASA Outside Interface I have the following configured -

access-list out_in extended permit icmp any any alternate-address
access-list out_in extended permit icmp any any echo
access-list out_in extended permit icmp any any traceroute
access-list out_in extended permit icmp any any time-exceeded
access-list out_in extended permit icmp any any unreachable
access-list out_in extended permit icmp any any echo-reply

access-group out_in in interface outside

When pinging my IP address of the Outside Int - and then checking my ACL, I see no hits against it. Have I gone wrong somewhere? Also, even when I remove the ACL I can still ping the Interface.

Thanks

An acl is used to control

Jon Marshall — Fri, 25 Apr 2014 13:39:20 GMT

An acl is used to control traffic through the firewall and not to interfaces on the firewall itself. That is why you do not see any hits when you ping the outside inteface.

The ASA by default allows all ICMP to any interface unless you configure it otherwise so that is why even without an acl it is still allowed.

See this link for details on how to configure the ASA in terms of controlling ICMP to the firewall interfaces -

http://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/I-R/cmdref2/i1.html#pgfId-1779047

Jon

Thanks for that Jon.If I

GRANT3779 — Fri, 25 Apr 2014 16:19:22 GMT

Thanks for that Jon.

If I wanted to then control ICMP to the interface would I just use this global command

icmp { permit | deny } any [ icmp_type ] outside

This is assuming the any option is available. Not at my ASA just now to check.

If I wanted to then control

Jon Marshall — Fri, 25 Apr 2014 19:20:16 GMT

If I wanted to then control ICMP to the interface would I just use this global command

icmp { permit | deny } any [ icmp_type ] outside

Yes you would.

Jon