cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
544
Views
5
Helpful
3
Replies

ACL on Outside Interface not being hit

GRANT3779
Spotlight
Spotlight

Hi All,

on my ASA Outside Interface I have the following configured -

access-list out_in extended permit icmp any any alternate-address
access-list out_in extended permit icmp any any echo
access-list out_in extended permit icmp any any traceroute
access-list out_in extended permit icmp any any time-exceeded
access-list out_in extended permit icmp any any unreachable
access-list out_in extended permit icmp any any echo-reply

access-group out_in in interface outside

When pinging my IP address of the Outside Int - and then checking my ACL, I see no hits against it. Have I gone wrong somewhere? Also, even when I remove the ACL I can still ping the Interface.

 

Thanks

 

3 Replies 3

Jon Marshall
Hall of Fame
Hall of Fame

An acl is used to control traffic through the firewall and not to interfaces on the firewall itself. That is why you do not see any hits when you ping the outside inteface.

The ASA by default allows all ICMP to any interface unless you configure it otherwise so that is why even without an acl it is still allowed.

See this link for details on how to configure the ASA in terms of controlling ICMP to the firewall interfaces -

http://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/I-R/cmdref2/i1.html#pgfId-1779047

Jon

Thanks for that Jon.

If I wanted to then control ICMP to the interface would I just use this global command

icmp { permit | deny } any [ icmp_type ] outside

This is assuming the any option is available. Not at my ASA just now to check.

If I wanted to then control ICMP to the interface would I just use this global command

icmp { permit | deny } any [ icmp_type ] outside

Yes you would.

Jon

Review Cisco Networking for a $25 gift card