Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

ACL's on ACE Appliance

Hi,

In the ACE Appliance management remote access examples there is an ACL which has "permit ip any any" but in my test configurations it works fine without this. For example, icmp is controlled by whether or not there is a matching class-map entry in the management class and this works whether the ACL is present or not.

What's the purpose of the "permit ip any any" ACL?

thanks,

Andrew.

2 REPLIES
Bronze

Re: ACL's on ACE Appliance

I think there is a difference between traffic to the interface and traffic over the interface.

You can have a working management policy for ssh access and ICMP to the interface but to make sure traffic flows from the client side to the server side you need to allow it.

So that is where the permit IP any any access-list is necessary to make sure traffic flows through the ACE. IIRC there will be no traffic flowing through the appliance if you don't have the permit ip any access-list on the according interfaces.

The closest thing to this might be on a PIX or ASA. You have the ICMP traffic through the interface controlled by the ACL statements and ICMP traffic towards the interface controlled by the ICMP statement itself.

I hope that explains if i didn't get you wrong.

If am writing total BS i probably get corrected soon. :)

Roble

Re: ACL's on ACE Appliance

True

Remote access traffic "to the ACE" is controlled by management policy.

&

"Through the ACE" is controlled by the ACL.

Syed

254
Views
0
Helpful
2
Replies
CreatePlease to create content