Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

Bronze

ACL on Outside Interface not being hit

Hi All,

on my ASA Outside Interface I have the following configured -

access-list out_in extended permit icmp any any alternate-address
access-list out_in extended permit icmp any any echo
access-list out_in extended permit icmp any any traceroute
access-list out_in extended permit icmp any any time-exceeded
access-list out_in extended permit icmp any any unreachable
access-list out_in extended permit icmp any any echo-reply

access-group out_in in interface outside

When pinging my IP address of the Outside Int - and then checking my ACL, I see no hits against it. Have I gone wrong somewhere? Also, even when I remove the ACL I can still ping the Interface.

 

Thanks

 

3 REPLIES
Hall of Fame Super Blue

An acl is used to control

An acl is used to control traffic through the firewall and not to interfaces on the firewall itself. That is why you do not see any hits when you ping the outside inteface.

The ASA by default allows all ICMP to any interface unless you configure it otherwise so that is why even without an acl it is still allowed.

See this link for details on how to configure the ASA in terms of controlling ICMP to the firewall interfaces -

http://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/I-R/cmdref2/i1.html#pgfId-1779047

Jon

Bronze

Thanks for that Jon.If I

Thanks for that Jon.

If I wanted to then control ICMP to the interface would I just use this global command

icmp { permit | deny } any [ icmp_type ] outside

This is assuming the any option is available. Not at my ASA just now to check.

Hall of Fame Super Blue

If I wanted to then control

If I wanted to then control ICMP to the interface would I just use this global command

icmp { permit | deny } any [ icmp_type ] outside

Yes you would.

Jon

70
Views
5
Helpful
3
Replies
CreatePlease to create content