cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
813
Views
0
Helpful
7
Replies

Packet Tracer: access-group out seems not working

KirDoan
Level 1
Level 1

Hi everyone, I can't figure out how this ACL do not apply to the outside interface of the ASA, I want to deny all the traffic that is not NATed to outside network, so I created this network test the command but it just doesn't work.

access-list OUTSIDE-DENY-OUT extended deny ip 172.16.1.0 255.255.255.0 any
access-group OUTSIDE-DENY-OUT out interface outside

In Simulation mode, it doesn't even bother to check the ACL criteria, so I thought this was a bug or am I missing something here? I'm a student and new to networking, any help would be greatly appreciated!

Also, I have attached the pkt file.

7 Replies 7

ACL is correct' did you initiate traffic from inside to outside ?

Yes, I did try to ping using the private IP address (172.16.1.2/24) from inside network

This is ip of inside interface?

172.16.1.2/24 is the one of the hosts of inside network, the inside interface on the ASA is 172.16.1.1/24. The outside interface ip is 1.0.0.1/8

Ok' can you share asa config here  I dont have pkt so I can not open zip file.

Sure, here is the asa config:

ASA Version 9.6(1)
!
hostname ciscoasa
names
!
interface GigabitEthernet1/1
nameif inside
security-level 100
ip address 172.16.1.1 255.255.255.0
!
interface GigabitEthernet1/2
nameif outside
security-level 0
ip address 1.0.0.1 255.0.0.0
!
interface GigabitEthernet1/3
no nameif
no security-level
no ip address
shutdown
!
interface GigabitEthernet1/4
no nameif
no security-level
no ip address
shutdown
!
interface GigabitEthernet1/5
no nameif
no security-level
no ip address
shutdown
!
interface GigabitEthernet1/6
no nameif
no security-level
no ip address
shutdown
!
interface GigabitEthernet1/7
no nameif
no security-level
no ip address
shutdown
!
interface GigabitEthernet1/8
no nameif
no security-level
no ip address
shutdown
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
shutdown
!
!
!
access-list OUTSIDE-PERMIT-IN extended permit icmp any any echo
access-list OUTSIDE-PERMIT-IN extended permit icmp any any echo-reply
access-list OUTSIDE-PERMIT-IN extended permit icmp any any unreachable
access-list OUTSIDE-DENY-OUT extended deny ip 172.16.1.0 255.255.255.0 any
!
!
access-group OUTSIDE-PERMIT-IN in interface outside
access-group OUTSIDE-DENY-OUT out interface outside
!
!
class-map inspection_default
match default-inspection-traffic
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect icmp
inspect tftp
!
service-policy global_policy global
!
telnet timeout 5
ssh timeout 5
!
!
!
!

Did you see the config reply? I can't see it in the replies for some reason so here is the txt file instead