cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3956
Views
5
Helpful
4
Replies

Blocking traffic on ASA from group of public IPs

jkay18041
Level 3
Level 3

I'm for some reason having a hard time getting an ACL to work on my ASA 5515. I've created a Network Object group called Blocked_IPs and have added some public IP's I want to block inbound to the ASA.

 

On my outside interface I've set a new rule at the top that's deny Blocked_IPs to destination any with destination service set to IP and I can still ping the ASA's public IP from those IP's in the blocked_IPs group.

 

Any thoughts?

Thank you

1 Accepted Solution

Accepted Solutions

Correct, assuming you don't have another rule above in the ACL that permits the traffic.

View solution in original post

4 Replies 4

Hi @jkay18041 

An ACL is for traffic through the ASA not to the ASA itself. You will need to use the icmp command

 

icmp { permit | deny } ip_address net_mask [ icmp_type ] if_name

 

Reference here:

https://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/I-R/cmdref2/i1.html

 

You cannot use object groups with this command unfortunately.

 

HTH

Ah that makes sense. If I leave it like it is though those IP's wouldn't be able to pass through the ASA though correct?

As Rob mentioned the ACLs you applied on the ASA interfaces are for the transit traffic only, not for the traffic destined to the ASA itself. ICMP can be denied with the command icmp deny. By default the ASA will allow any ICMP traffic to itself, whether initiated by a remote host, or returned to an ICMP traffic initiated by itself. However, as soon as you put in an icmp permit rule, that will trigger an implicit deny for any other ICMP traffic.

For example, if you leave the ASA with its default ICMP settings, it will allow all ICMP traffic destined, initiated by, and returned to itself. If you add a rule to permit only one public IP to reach the ASA via ICMP protocol, the ASA will allow the ICMP traffic only from that specific IP, and will also deny any other ICMP traffic automatically without having you to add any deny rule.

Now this would include the return traffic such as the echo replies, so in that case when you try to ping from the ASA itself, you would not get the replies back. To fix this, you need to add another rule to allow the echo-replies, that can be done with icmp permit any echo-reply outside. You can replace the any keyword with the specific IP addresses if you want.

Another thing worth mentioning is that the order is important when it comes to icmp permit/deny rules. If you place an icmp deny rule above a permit rule, the permit rule will never be hit. Of course that depends on what you specified in the rules as the IP address or host name. It works in a similar way of the normal ACLs check, top to bottom.

Correct, assuming you don't have another rule above in the ACL that permits the traffic.

Review Cisco Networking for a $25 gift card