Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Applying ACL to Outside interface

I am testing a PIX before it goes into production network. Maybe i am making a very stupid mistake but i am having troublke in applying an Access list to outside interface. Here is the partial config

+++++++++++++++++++++++++++

nameif ethernet0 outside security0

access-list 103; 2 elements

access-list 103 deny icmp any any (hitcnt=0)

access-list 103 deny ip any any (hitcnt=0)

ip address outside x.x.x.60 255.255.255.248

access-group 103 in interface outside

++++++++++++++++++++++++++++++++++++++++++++++++

But when i ping the outside interface from a client (x.x.x.57), it responds to the pings, however it should have denied based on the Access List.

Below is the capture

______________________________

11:31:09.856507 x.x.x.60 > x.x.x.57: icmp: echo reply(fragment-packet)

11:31:09.858018 X.x.x.57 > x.x.x.60: icmp: echo request(fragment-packet)

________________________________________________

6 REPLIES
Silver

Re: Applying ACL to Outside interface

What does it mean by (fragment-packet)? Did you try sysopt security fragguard feature?

Thanks.

New Member

Re: Applying ACL to Outside interface

Still the same thing with sysopt security fragguard feature.

Silver

Re: Applying ACL to Outside interface

I think you will only be able to ping the FW's outside interface. Nothing Inside.

Rais.

New Member

Re: Applying ACL to Outside interface

Actually it is forwarding traffic for other hosts. Below 10.1.1.1 doesn't exist but the PIX ACL did allow this traffic to come inside.

12:37:14.342053 x.x.x.57 > 10.1.1.1: icmp: echo request(fragment-packet)

12:37:16.341245 x.x.x.57 > 10.1.1.1: icmp: echo request(fragment-packet)

Silver

Re: Applying ACL to Outside interface

I only see echo request in your debug output. Are you getting replies as well on the .57 machine?

Thanks.

New Member

Re: Applying ACL to Outside interface

I should have use..(config)#icmp permit|deny .... command.

It seems ICMP Packets destined towrds an interface are not controlled by ACL statements.

281
Views
0
Helpful
6
Replies
CreatePlease login to create content