If I wanted to then control

GRANT3779 · ‎04-25-2014

Hi All,

on my ASA Outside Interface I have the following configured -

access-list out_in extended permit icmp any any alternate-address
access-list out_in extended permit icmp any any echo
access-list out_in extended permit icmp any any traceroute
access-list out_in extended permit icmp any any time-exceeded
access-list out_in extended permit icmp any any unreachable
access-list out_in extended permit icmp any any echo-reply

access-group out_in in interface outside

When pinging my IP address of the Outside Int - and then checking my ACL, I see no hits against it. Have I gone wrong somewhere? Also, even when I remove the ACL I can still ping the Interface.

Thanks

Jon Marshall · ‎04-25-2014

An acl is used to control traffic through the firewall and not to interfaces on the firewall itself. That is why you do not see any hits when you ping the outside inteface.

The ASA by default allows all ICMP to any interface unless you configure it otherwise so that is why even without an acl it is still allowed.

See this link for details on how to configure the ASA in terms of controlling ICMP to the firewall interfaces -

http://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/I-R/cmdref2/i1.html#pgfId-1779047

Jon

GRANT3779 · ‎04-25-2014

Thanks for that Jon.

If I wanted to then control ICMP to the interface would I just use this global command

icmp { permit | deny } any [ icmp_type ] outside

This is assuming the any option is available. Not at my ASA just now to check.

Jon Marshall · ‎04-25-2014

If I wanted to then control ICMP to the interface would I just use this global command

icmp { permit | deny } any [ icmp_type ] outside

Yes you would.

Jon

ACL on Outside Interface not being hit