ACL's on ACE Appliance

Unanswered Question
May 26th, 2008
User Badges:
  • Gold, 750 points or more


In the ACE Appliance management remote access examples there is an ACL which has "permit ip any any" but in my test configurations it works fine without this. For example, icmp is controlled by whether or not there is a matching class-map entry in the management class and this works whether the ACL is present or not.

What's the purpose of the "permit ip any any" ACL?



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Roble Mumin Mon, 05/26/2008 - 09:14
User Badges:
  • Bronze, 100 points or more

I think there is a difference between traffic to the interface and traffic over the interface.

You can have a working management policy for ssh access and ICMP to the interface but to make sure traffic flows from the client side to the server side you need to allow it.

So that is where the permit IP any any access-list is necessary to make sure traffic flows through the ACE. IIRC there will be no traffic flowing through the appliance if you don't have the permit ip any access-list on the according interfaces.

The closest thing to this might be on a PIX or ASA. You have the ICMP traffic through the interface controlled by the ACL statements and ICMP traffic towards the interface controlled by the ICMP statement itself.

I hope that explains if i didn't get you wrong.

If am writing total BS i probably get corrected soon. :)


Syed Iftekhar Ahmed Tue, 05/27/2008 - 11:11
User Badges:
  • Blue, 1500 points or more


Remote access traffic "to the ACE" is controlled by management policy.


"Through the ACE" is controlled by the ACL.



This Discussion