Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
813
Views
0
Helpful
7
Replies

Packet Tracer: access-group out seems not working

KirDoan
Level 1
Level 1

‎10-15-2023 03:40 AM

Hi everyone, I can't figure out how this ACL do not apply to the outside interface of the ASA, I want to deny all the traffic that is not NATed to outside network, so I created this network test the command but it just doesn't work.

access-list OUTSIDE-DENY-OUT extended deny ip 172.16.1.0 255.255.255.0 any
access-group OUTSIDE-DENY-OUT out interface outside

In Simulation mode, it doesn't even bother to check the ACL criteria, so I thought this was a bug or am I missing something here? I'm a student and new to networking, any help would be greatly appreciated!

Also, I have attached the pkt file.

Labels:
test.zip
0 Helpful
7 Replies 7

MHM Cisco World
VIP
VIP

‎10-15-2023 03:50 AM

ACL is correct' did you initiate traffic from inside to outside ?

0 Helpful

KirDoan
Level 1
Level 1
In response to MHM Cisco World

‎10-15-2023 03:55 AM

Yes, I did try to ping using the private IP address (172.16.1.2/24) from inside network

0 Helpful

MHM Cisco World
VIP
VIP
In response to KirDoan

‎10-15-2023 04:02 AM

This is ip of inside interface?

0 Helpful

KirDoan
Level 1
Level 1
In response to MHM Cisco World

‎10-15-2023 04:07 AM

172.16.1.2/24 is the one of the hosts of inside network, the inside interface on the ASA is 172.16.1.1/24. The outside interface ip is 1.0.0.1/8

0 Helpful

MHM Cisco World
VIP
VIP
In response to KirDoan

‎10-15-2023 04:09 AM

Ok' can you share asa config here  I dont have pkt so I can not open zip file.

0 Helpful

KirDoan
Level 1
Level 1
In response to MHM Cisco World

‎10-15-2023 04:13 AM

Sure, here is the asa config:

ASA Version 9.6(1)
!
hostname ciscoasa
names
!
interface GigabitEthernet1/1
nameif inside
security-level 100
ip address 172.16.1.1 255.255.255.0
!
interface GigabitEthernet1/2
nameif outside
security-level 0
ip address 1.0.0.1 255.0.0.0
!
interface GigabitEthernet1/3
no nameif
no security-level
no ip address
shutdown
!
interface GigabitEthernet1/4
no nameif
no security-level
no ip address
shutdown
!
interface GigabitEthernet1/5
no nameif
no security-level
no ip address
shutdown
!
interface GigabitEthernet1/6
no nameif
no security-level
no ip address
shutdown
!
interface GigabitEthernet1/7
no nameif
no security-level
no ip address
shutdown
!
interface GigabitEthernet1/8
no nameif
no security-level
no ip address
shutdown
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
shutdown
!
!
!
access-list OUTSIDE-PERMIT-IN extended permit icmp any any echo
access-list OUTSIDE-PERMIT-IN extended permit icmp any any echo-reply
access-list OUTSIDE-PERMIT-IN extended permit icmp any any unreachable
access-list OUTSIDE-DENY-OUT extended deny ip 172.16.1.0 255.255.255.0 any
!
!
access-group OUTSIDE-PERMIT-IN in interface outside
access-group OUTSIDE-DENY-OUT out interface outside
!
!
class-map inspection_default
match default-inspection-traffic
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect icmp
inspect tftp
!
service-policy global_policy global
!
telnet timeout 5
ssh timeout 5
!
!
!
!

0 Helpful

KirDoan
Level 1
Level 1
In response to MHM Cisco World

‎10-15-2023 04:38 AM - edited ‎10-15-2023 04:38 AM

Did you see the config reply? I can't see it in the replies for some reason so here is the txt file instead

2 KB
0 Helpful
Customers Also Viewed These Support Documents