04-25-2014 06:06 AM - edited 03-11-2019 09:07 PM
Hi All,
on my ASA Outside Interface I have the following configured -
access-list out_in extended permit icmp any any alternate-address
access-list out_in extended permit icmp any any echo
access-list out_in extended permit icmp any any traceroute
access-list out_in extended permit icmp any any time-exceeded
access-list out_in extended permit icmp any any unreachable
access-list out_in extended permit icmp any any echo-reply
access-group out_in in interface outside
When pinging my IP address of the Outside Int - and then checking my ACL, I see no hits against it. Have I gone wrong somewhere? Also, even when I remove the ACL I can still ping the Interface.
Thanks
04-25-2014 06:39 AM
An acl is used to control traffic through the firewall and not to interfaces on the firewall itself. That is why you do not see any hits when you ping the outside inteface.
The ASA by default allows all ICMP to any interface unless you configure it otherwise so that is why even without an acl it is still allowed.
See this link for details on how to configure the ASA in terms of controlling ICMP to the firewall interfaces -
http://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/I-R/cmdref2/i1.html#pgfId-1779047
Jon
04-25-2014 09:19 AM
Thanks for that Jon.
If I wanted to then control ICMP to the interface would I just use this global command
icmp { permit | deny } any [ icmp_type ] outside
This is assuming the any option is available. Not at my ASA just now to check.
04-25-2014 12:20 PM
If I wanted to then control ICMP to the interface would I just use this global command
icmp { permit | deny } any [ icmp_type ] outside
Yes you would.
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide