cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
864
Views
0
Helpful
2
Replies

ACL - Traceroute

jeffkim.cisco
Level 1
Level 1

Wouldnt this ACL bring down the network?

Since internal-out ACL has deny any any at the end implicitly, this will allow only icmp going out?

ciscoasa#config t 
ciscoasa(config)#access-list internal-out permit icmp any any echo-reply 
ciscoasa(config)#access-list internal-out permit icmp any any time-exceeded 
ciscoasa(config)#access-list internal-out permit icmp any any unreachable 
ciscoasa(config)#policy-map global_policy 
ciscoasa(config-pmap)#class inspection_default 
ciscoasa(config-pmap-c)#
inspect icmp
 
ciscoasa(config-pmap-c)#
inspect icmp error
 
ciscoasa(config-pmap-c)#end 
ciscoasa(config)#service-policy global_policy global
ciscoasa(config)#access-group internal-out in interface outside

ciscoasa(config)#access-list internal-out permit icmp any any traceroute
or is this policy allowing traffic coming from outside to insdie?
2 Replies 2

Rahul Govindan
VIP Alumni
VIP Alumni
access-group internal-out in interface outside

This means that this ACL is applied to traffic in the inbound direction on the outside interface (out to in traffic). In your example, you are adding the icmp types to allow traceroute replies from hosts ahead of the ASA. This wont kill all other traffic as tcp and udp traffic through the ASA is inspected by default. Any traffic flow (request and reply) that is inspected on its way out, is allowed to bypass ACL check on the way back. If you already have an ACL applied inbound on the outside interface, you should that these entries to that ACL.

ASA packet processing algorithm is explained here:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113396-asa-packet-flow-00.html

thank you

Review Cisco Networking for a $25 gift card