Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1220
Views
0
Helpful
7
Replies

Understanding ACL entries and applying them to FW interfaces

CiscoStretch
Level 1
Level 1

‎09-26-2022 06:23 PM

Hello. I am trying to configure a network and set up ACL's. I need to allow R1 to ping R2. R1 is on the outside of my firewall and R2 is on the inside. I have created the ACL entries on the firewall to permit ICMP both ways, however I still cannot get the pings to work. I also tried enabling echo-reply but also have an error. When I run the command "access list 101 permit... etc etc" do I need to create a new number for each ACL entry? Or do they all get the "access list 101" entry? 

 

Im trying to apply the ACL entries to different interfaces of the firewall, and when I run "access-group 101 in interface outside" it works, however I'm just wondering HOW it works when there are multiple entries that say access list 101. Please help.

 

Labels:
0 Helpful
7 Replies 7

Kasun Bandara
VIP
VIP

‎09-26-2022 07:03 PM

after creation of ACL, you need to map that ACL to relevent interface with inbound or outbound. check below guide. chare your config to review 

https://www.auvik.com/franklyit/blog/acls-cisco-asa-firewalls/

Please rate this and mark as solution/answer, if this resolved your issue
Good luck
KB
0 Helpful

ammahend
VIP Alumni
VIP Alumni

‎09-26-2022 07:47 PM

this will allow out to in ICMP as well is in to out even if ICMP inspection is not enabled.

access-list ALLOW_ICMP extended permit icmp any any

access-group ALLOW_ICMP in interface OUTSIDE

-hope this helps-
0 Helpful

CiscoStretch
Level 1
Level 1
In response to ammahend

‎09-26-2022 08:23 PM

I just tried that and it said "allow_icmp" does not exist.

0 Helpful

ammahend
VIP Alumni
VIP Alumni
In response to CiscoStretch

‎09-26-2022 08:39 PM - edited ‎09-26-2022 08:39 PM

send a screen shot please

-hope this helps-
0 Helpful

MHM Cisco World
VIP
VIP
In response to CiscoStretch

‎09-27-2022 03:05 AM

simply do you config route for other router  in each router point to ASA ?

0 Helpful

paul driver
VIP
VIP

‎09-27-2022 01:06 AM

Hello
can you post the access-list please.


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

Spooster IT Services
Level 7
Level 7

‎11-15-2022 04:23 AM

Hi , 

1). R2(192.168.2.1)( inside) is to be pinged from R1(192.168.1.1)(Outside) .  By default Nameif Inside has a security = 100 , while Nameif Outside is set to a lower security let's suppose = 0 

2). Default Behaviour of the Firewall won't allow the traffic to move from Low security to High security 

3). To Bypass default behaviour  ACL will be used 

4). # access-list XYZ permit icmp host 192.168.1.1 host 192.168.2.1 

     # access-group XYZ in interface outside  

Note : You can also verify "inspect icmp"command under policy map.

Spooster IT Services Team
0 Helpful
Customers Also Viewed These Support Documents