Traffic is not able to pass through the PIX/ASA security appliance

Document

Jun 18, 2009 4:03 PM
Jun 18th, 2009

Core issue

One of the reasons that this problem can occur is due to the incorrect order of access-lists. The PIX/ASA applies the access rules, which depends on the order.

Resolution

In order to allow traffic to pass through the PIX/ASA, you can create access-lists and apply them to a specific interface with the help of the access-groups command.

  • Access-lists are executed in a top-to-down fashion.

  • Access-lists can be given preference with the help of access-list line number.

  • The correct order of access-lists applied on an interface is also essential as the traffic can be interrupted due to incorrect sequence.

  • You can put all the permit statements first and then set the access-lists to deny undesired traffic.
Average Rating: 0 (0 ratings)

Comments

mikecrowe4ICS_2 Thu, 10/21/2010 - 22:05

You can put all the permit statements first and then set the access-lists to deny

Actually, any access-list on an ASA/PIX/FWSM, or in IOS, already includes an implicit deny at the end of the list.  This will deny any traffic not already permitted in previous rules.  Of course, unless you've added "permit ip any any" to the end of the ACL.

You only need to add a final deny statement if you want to log denied traffic.

Actions

Login or Register to take actions

This Document

Posted June 18, 2009 at 4:03 PM
Stats:
Comments:1 Avg. Rating:0
Views:1371 Contributors:1
Shares:0

Related Content

Documents Leaderboard