Understanding ACL entries and applying them to FW interfaces
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-26-2022 06:23 PM
Hello. I am trying to configure a network and set up ACL's. I need to allow R1 to ping R2. R1 is on the outside of my firewall and R2 is on the inside. I have created the ACL entries on the firewall to permit ICMP both ways, however I still cannot get the pings to work. I also tried enabling echo-reply but also have an error. When I run the command "access list 101 permit... etc etc" do I need to create a new number for each ACL entry? Or do they all get the "access list 101" entry?
Im trying to apply the ACL entries to different interfaces of the firewall, and when I run "access-group 101 in interface outside" it works, however I'm just wondering HOW it works when there are multiple entries that say access list 101. Please help.
- Labels:
-
Routing Protocols
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-26-2022 07:03 PM
after creation of ACL, you need to map that ACL to relevent interface with inbound or outbound. check below guide. chare your config to review
https://www.auvik.com/franklyit/blog/acls-cisco-asa-firewalls/
Good luck
KB
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-26-2022 07:47 PM
this will allow out to in ICMP as well is in to out even if ICMP inspection is not enabled.
access-list ALLOW_ICMP extended permit icmp any any
access-group ALLOW_ICMP in interface OUTSIDE
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-26-2022 08:23 PM
I just tried that and it said "allow_icmp" does not exist.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-26-2022 08:39 PM - edited 09-26-2022 08:39 PM
send a screen shot please
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-27-2022 03:05 AM
simply do you config route for other router in each router point to ASA ?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-27-2022 01:06 AM
Hello
can you post the access-list please.
Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.
Kind Regards
Paul

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-15-2022 04:23 AM
Hi ,
1). R2(192.168.2.1)( inside) is to be pinged from R1(192.168.1.1)(Outside) . By default Nameif Inside has a security = 100 , while Nameif Outside is set to a lower security let's suppose = 0
2). Default Behaviour of the Firewall won't allow the traffic to move from Low security to High security
3). To Bypass default behaviour ACL will be used
4). # access-list XYZ permit icmp host 192.168.1.1 host 192.168.2.1
# access-group XYZ in interface outside
Note : You can also verify "inspect icmp"command under policy map.
