05-26-2024 04:13 AM
i have configured a pc1 on inside of the ASA firewall and second pc2 on outside of the ASA firewal.
inside security level 100 and outside security level 0.
when i add acl from inside to outside and access-group ,i get replies from PC2 back.
when i add acl from outside to inside and access-group,i get replies from pc 1 back.
i have applied two access-groups for two ACLs,when i do show run access-group
it shows me only one access-group command
1- access-group IN-OUT in interface outside
2- access-group OUT-IN in interface outside
when i apply access-group IN-OUT in interface outside ,i can ping from inside to outside
and when i apply access-group OUT-IN , IN-OUT access-group command is removed ,i can ping from outside to inside,it is replaced with IN-OUT hence i can see only one
access-group command in show access-group output eigther IN-OUT or OUT-IN.
in this scenario i cannot ping from PC1 to PC2 and PC2 to PC1 simultaneously.
05-26-2024 05:01 AM
I need to see the ACL yoh use
MHM
05-26-2024 05:56 AM
could you post the code you use
05-26-2024 11:10 AM
my ACL for echo reply is as follows
access-list IN-OUT extended permit icmp any any echo-reply
access-group IN-OUT in interface outside
my ACL for icmp traffic initiated from outside
access-list OUT-IN extended permit icmp any any
access-group OUT-IN in interface outside
i try to add two access-group statments for both ACLs but ASA firewall ,saves only one access-group command in its configuration.
i cannot ping from pc1 which is in inside of firewall ,to PC2 which is outside of ASA firewall
and from PC2 to PC1 simultaneously
05-26-2024 07:12 AM
If i read correctly replies means Ping ? If this is ASA, you do not need inside to outside ACL - you just need protocol fix up for ICMP.
that should work inside to outside.
You need ACL allow only from outside network to inside .
different example you can view here :
05-26-2024 07:39 AM
05-26-2024 08:31 AM
But I wanted to apply ACL for icmp echo reply
Like access-list outside extended permit icmp any any echo reply.
you want to only echo to allow ?
there are different ways to do this, but we need to see you configuration how that was configured.
example from my notes :
policy-map global_policy
class inspection_default
inspect icmp
!
access-list outside extended permit icmp any any echo
05-26-2024 11:08 AM
my ACL for echo reply is as follows
access-list IN-OUT extended permit icmp any any echo-reply
access-group IN-OUT in interface outside
my ACL for icmp traffic initiated from outside
access-list OUT-IN extended permit icmp any any
access-group OUT-IN in interface outside
i try to add two access-group statments for both ACLs but ASA firewall ,saves only one access-group command in its configuration.
i cannot ping from pc1 which is in inside of firewall ,to PC2 which is outside of ASA firewall
and from PC2 to PC1 simultaneously
i try to add
2- access-group OUT-IN in interface outside
05-26-2024 11:55 AM
05-26-2024 01:53 PM
05-27-2024 06:33 AM
that works,thank you for support
i can ping simultaneously
05-27-2024 06:39 AM
You are so welcome
MHM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide