Access List not working correctly ASA 5520

- C
- Chris
  
  Contact options for registered users
posted
16 years ago

Tue, Jul 10, 2007 5:34 PM

Hi all,

We've had a network add and have two inline firewalls. On the second firewall it appears that our inbound access-list is not working.

To test we've currently got:

access-list inside_in extended deny ip any any log access-group inside_in in interface inside

The problem we have is that we can still ping the second firewall even though all IP traffic should be denied. Has anyone ever come across this, and if so, do they know of a fix?

We do have a second access-list called outside_in which is applied inbound on the outside interface. Could this cause a conflict?

Many thanks,

Chris

- W
- Walter Roberson
  
  Contact options for registered users
Vote on answer
posted
16 years ago

Wed, Jul 11, 2007 5:56 AM

That's an outbound access-list, not an inbound access-list.

Pinging a PIX or ASA firewall is not controlled by access-group . Pinging a PIX or ASA firewall is controlled by the 'icmp' command.

- C
- Chris
  
  Contact options for registered users
Vote on answer
posted
16 years ago

Wed, Jul 11, 2007 7:30 AM

Sorry, I was implying it was inbound relative to the firewall. But yes, it is outbound.

First I knew of that.

Many thanks,

Chris