01-09-2017 06:40 PM - edited 03-12-2019 01:45 AM
Wouldnt this ACL bring down the network?
Since internal-out ACL has deny any any at the end implicitly, this will allow only icmp going out?
ciscoasa#config t ciscoasa(config)#access-list internal-out permit icmp any any echo-reply ciscoasa(config)#access-list internal-out permit icmp any any time-exceeded ciscoasa(config)#access-list internal-out permit icmp any any unreachable ciscoasa(config)#policy-map global_policy ciscoasa(config-pmap)#class inspection_default ciscoasa(config-pmap-c)# inspect icmp ciscoasa(config-pmap-c)# inspect icmp error ciscoasa(config-pmap-c)#end ciscoasa(config)#service-policy global_policy global ciscoasa(config)#access-group internal-out in interface outside
ciscoasa(config)#access-list internal-out permit icmp any any traceroute or is this policy allowing traffic coming from outside to insdie?
01-09-2017 06:54 PM
access-group internal-out in interface outside
This means that this ACL is applied to traffic in the inbound direction on the outside interface (out to in traffic). In your example, you are adding the icmp types to allow traceroute replies from hosts ahead of the ASA. This wont kill all other traffic as tcp and udp traffic through the ASA is inspected by default. Any traffic flow (request and reply) that is inspected on its way out, is allowed to bypass ACL check on the way back. If you already have an ACL applied inbound on the outside interface, you should that these entries to that ACL.
ASA packet processing algorithm is explained here:
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113396-asa-packet-flow-00.html
01-10-2017 08:59 AM
thank you
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide