cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5773
Views
10
Helpful
4
Replies

Query about allowing ICMP through ASA using ACL

V Kalsi
Level 1
Level 1

Hello All,

I have one query on ASA while working on GNS3.

1.I am successfully able to deny the telnet traffic from inside to outside using ACL by placing it on IN direction of INSIDE interface of ASA.
2.But not able to allow ICMP from inside to outside by placing ACL on same direction as mentioned in point 1.
3.I tried applying ACL on different directions and got success only on when applying on IN direction on OUTSIDE inside interface.
4.I tried with different scenario as well.
5.With MPF, i could able to allow ICMP.

Please see below logs-

Could you please tell me why there is a difference in results in Scenerio 1 and Scenerio 2 and and what is wrong in other scenerio.

Topology-

R1>>>>INSIDE>>>>>>ASA<<<<<OUTSIDE<<<<<R2

telnet denied

ciscoasa(config)# show run | i access
access-list inside_access extended deny tcp any any eq telnet
access-group inside_access in interface INSIDE

ping working

ciscoasa(config)#sh run | i access
access-list inside_access extended permit icmp any any

access-group inside_access in interface OUTSIDE

Ping not working

ciscoasa(config)# sh run | i access
access-list inside_access extended permit icmp any any
access-group inside_access out interface INSIDE

ciscoasa(config)# sh run | i access
access-list inside_access extended permit icmp any any
access-group inside_access in interface INSIDE

ciscoasa(config)# sh run | i access
access-list inside_access extended permit icmp any any
access-group inside_access OUT interface OUTSIDE

1 Accepted Solution

Accepted Solutions

Hi V Kalsi,

Hope you are doing good.

First of all wishing you a very happy new year.

 

For understand ing this you need to understand the behaviour of security levels in ASA.

When you are pinging from Inside (higher security level) to outside (lower security level), traffic is allowed by default. An acl is not required on interface with High security level until there is no other "allow" rule configured.

 

So in your case ACL is not required on inside interface,.

 

Secondly, for return traffic also you dont require an ACL on outside interface.

Just remove the acl on outside interface (for icmp). and run the command "fixup protocol icmp."

It will enable the icmp inspection and all icmp return traffic will be allowed without requitring an acl.

 

 

But since ICMP inspection is not enabled on your device, hence the below config is providing you a workaround by allowing the return traffic (with help of ACL.)

 

ciscoasa(config)#sh run | i access
access-list inside_access extended permit icmp any any
access-group inside_access in interface OUTSIDE
 

Ideally the above config is only required to permit "outside traffic to inside."

 

Please mark this post as helpful and accept it as solution if it resolves your concern.

 

BR

shivdube

EX-CISCO TAC Engg

 

View solution in original post

4 Replies 4

By default, ICMP is not inspected statefully on the ASA. That can be easily enabled with "fixup protocol icmp".

Thank you for the reply but i want to allow traffic from outside to inside and i did allowed it using ACL. I tried with applying ACL on different direction and as you can see above, in which i succeeded in one option.
ping working
ciscoasa(config)#sh run | i access
access-list inside_access extended permit icmp any any
access-group inside_access in interface OUTSIDE
with this option i am able to ping from outside to inside and from inside to outside. So i want to know how this acl is allowing to ping from inside to outside.

But with the below options i am not able to allow ICMP in either of the direction.
Why this is so?
could you tell me the reason behind this?

Ping not working

ciscoasa(config)# sh run | i access
access-list inside_access extended permit icmp any any
access-group inside_access out interface INSIDE

ciscoasa(config)# sh run | i access
access-list inside_access extended permit icmp any any
access-group inside_access in interface INSIDE

ciscoasa(config)# sh run | i access
access-list inside_access extended permit icmp any any
access-group inside_access OUT interface OUTSIDE

Typically, you only have one ACL per direction. Most admins configure on incoming ACL per interface and each ACL controls the traffic that is initiated on that interface. Given that you enabled the statefullness of ICMP, the inside-in-ACL controls the ping (and of course all other traffic) that is initiated from inside and sent to any other interface, the outside-in-ACL does the same for traffic initiated on the outside.

If you combine incoming and outgoing ACLs on the ASA, all ACLs in the direction of the initiating traffic has to allow it.

That means: If you have an ACL incoming on the inside interface and outgoing on the outside interface, both have to allow the traffic.

Hi V Kalsi,

Hope you are doing good.

First of all wishing you a very happy new year.

 

For understand ing this you need to understand the behaviour of security levels in ASA.

When you are pinging from Inside (higher security level) to outside (lower security level), traffic is allowed by default. An acl is not required on interface with High security level until there is no other "allow" rule configured.

 

So in your case ACL is not required on inside interface,.

 

Secondly, for return traffic also you dont require an ACL on outside interface.

Just remove the acl on outside interface (for icmp). and run the command "fixup protocol icmp."

It will enable the icmp inspection and all icmp return traffic will be allowed without requitring an acl.

 

 

But since ICMP inspection is not enabled on your device, hence the below config is providing you a workaround by allowing the return traffic (with help of ACL.)

 

ciscoasa(config)#sh run | i access
access-list inside_access extended permit icmp any any
access-group inside_access in interface OUTSIDE
 

Ideally the above config is only required to permit "outside traffic to inside."

 

Please mark this post as helpful and accept it as solution if it resolves your concern.

 

BR

shivdube

EX-CISCO TAC Engg

 

Review Cisco Networking for a $25 gift card