10-16-2020 08:44 AM
I'm for some reason having a hard time getting an ACL to work on my ASA 5515. I've created a Network Object group called Blocked_IPs and have added some public IP's I want to block inbound to the ASA.
On my outside interface I've set a new rule at the top that's deny Blocked_IPs to destination any with destination service set to IP and I can still ping the ASA's public IP from those IP's in the blocked_IPs group.
Any thoughts?
Thank you
Solved! Go to Solution.
10-16-2020 08:56 AM
Correct, assuming you don't have another rule above in the ACL that permits the traffic.
10-16-2020 08:49 AM
Hi @jkay18041
An ACL is for traffic through the ASA not to the ASA itself. You will need to use the icmp command
icmp { permit | deny } ip_address net_mask [ icmp_type ] if_name
Reference here:
https://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/I-R/cmdref2/i1.html
You cannot use object groups with this command unfortunately.
HTH
10-16-2020 08:52 AM
Ah that makes sense. If I leave it like it is though those IP's wouldn't be able to pass through the ASA though correct?
10-16-2020 10:06 AM
As Rob mentioned the ACLs you applied on the ASA interfaces are for the transit traffic only, not for the traffic destined to the ASA itself. ICMP can be denied with the command icmp deny. By default the ASA will allow any ICMP traffic to itself, whether initiated by a remote host, or returned to an ICMP traffic initiated by itself. However, as soon as you put in an icmp permit rule, that will trigger an implicit deny for any other ICMP traffic.
For example, if you leave the ASA with its default ICMP settings, it will allow all ICMP traffic destined, initiated by, and returned to itself. If you add a rule to permit only one public IP to reach the ASA via ICMP protocol, the ASA will allow the ICMP traffic only from that specific IP, and will also deny any other ICMP traffic automatically without having you to add any deny rule.
Now this would include the return traffic such as the echo replies, so in that case when you try to ping from the ASA itself, you would not get the replies back. To fix this, you need to add another rule to allow the echo-replies, that can be done with icmp permit any echo-reply outside. You can replace the any keyword with the specific IP addresses if you want.
Another thing worth mentioning is that the order is important when it comes to icmp permit/deny rules. If you place an icmp deny rule above a permit rule, the permit rule will never be hit. Of course that depends on what you specified in the rules as the IP address or host name. It works in a similar way of the normal ACLs check, top to bottom.
10-16-2020 08:56 AM
Correct, assuming you don't have another rule above in the ACL that permits the traffic.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide