acl issue on asa

ve a real problem configuring acl on the ASA 8.0(3)

it is just a single acl that i m trying

(config) access-list OUTSIDE extended deny icmp any any (config) access-group OUTSIDE in interface outside

but still from interent i can ping.

i m sure that outside is "outside".

is here anything i miss ?

i checked with asdm, all config was right. I restet the interface config too its default : an implicit rule which deny ip any to any. i tested from outside, and still i can ping!!

I was wondering if there were some vpn rule that override thes acl

Reply to
Loading thread data ...

YA there is,

Look in your config for where is says

icmp permit {parameter} outside

formatting link

Reply to

there are no pix reference ion my asa 8.0(3) instead a device manager 6.1(1)

on the document you mention, it is clealry says that icmp are denied by default, as in my config, (outside interface, inbound) but i dont understnad why my asa can ping'ed from outside. it is not only icmp, but all ports.

Reply to

type this from within global config mode. icmp deny any outside

The reason they can ping is because it is not in your config. In the new ASA appliances icmp is handled a little differently. If that does not work then post your config. make sure you remove ip addresses prior to posting.

Reply to

yes you are right, thank you

but normally the implicit rule (deny ip any any, outside, inbound) should not allow this. do you think it is an exception only for icmp traffic ? how can i create an acl which woulf deny all connections from outside ?

i tried with the following commands

access-list test extended deny ip any any log debugging access-list test extended deny icmp any any log debugging access-group test in interface outside

i need to create an acl which works, otherwise i can not work with the dyn acl and the acs whihc stand behinds..

thank you for your help.

but his allow still icmp traffic

Reply to

I am confused! Did the command I gave you not work to block the ICMP traffice? if that is the case then search your config for

icmp permit statement.

This statement only blocks the defined ICMP type that is in the configuration. to the outside interface or what ever interface you define in the command.

You will still be able to open ports to any NAT'd address. That is controlled with an ACL.

I need to see your config in order to see what else is going on in your configuration if icmp is still being allowed.

Reply to

messages pr=E9c=E9dents -

Maybe i m not clear enough

yes the command you mentionned did block the icmp traffic. what i dont understand is why i m supposed to type this command to block the icmp as i have already an implicit access rule which deny all traffic (from outside, inbound)

access-list test extended deny ip any any log debugging access-list test extended deny icmp any any log debugging access-group test in interface outside

normally, accordind to my belief, this access rule should have blocked icmp as well.

so to deny all traffic you have to create an acces rule to deny everything AND in addition block icmp with such command AND or is there something going strange with acl ?

here is my config for info.

ASA Version 8.0(3) ! hostname ASA domain-name **** enable password **** encrypted names dns-guard ! interface Ethernet0/0 description Public DMZ speed 1000 duplex full nameif outside security-level 0 ip address ! interface Ethernet0/1 description Private DMZ speed 1000 duplex full nameif inside security-level 100 ip address

dns server-group DefaultDNS domain-name access-list test extended deny ip any any log debugging access-list test extended deny icmp any any log debugging

ip local pool vpn-pool1 10.x.x.1-10.x.x.254 mask ip verify reverse-path interface outside ip verify reverse-path interface inside ip audit name Drop_Attack attack action alarm drop ip audit name Alarm_info info action alarm ip audit name Alarm_attack attack action alarm ip audit interface outside Alarm_info ip audit interface outside Drop_Attack ip audit interface inside Alarm_info ip audit interface inside Alarm_attack ip audit signature 2000 disable ip audit signature 2001 disable ip audit signature 2004 disable ip audit signature 2005 disable ip audit signature 6051 disable icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-611.bin asdm history enable arp timeout 14400 access-group test in interface outside

dynamic-access-policy-record DfltAccessPolicy action terminate dynamic-access-policy-record xxx-xxx-xxx-policy

http server enable http inside

sysopt connection tcpmss 1400 sysopt noproxyarp outside sysopt noproxyarp inside crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP- AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP- DES-MD5 crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map outside_map interface outside crypto isakmp enable outside

crypto isakmp policy 10 authentication pre-share encryption aes hash sha group 2 lifetime 86400

no vpn-addr-assign aaa no vpn-addr-assign dhcp

management-access inside

no threat-detection basic-threat no threat-detection statistics access-list

webvpn enable outside svc image disk0:/anyconnect-win-2.2.0133-k9.pkg 1 regex "Windows NT" svc image disk0:/anyconnect-macosx-i386-2.2.0133-k9.pkg 2 regex "Intel Mac OS X" svc image disk0:/anyconnect-macosx-powerpc-2.2.0133-k9.pkg 3 regex "PPC Mac OS X" svc image disk0:/anyconnect-linux-2.2.0133-k9.pkg 4 regex "Linux" svc enable tunnel-group-list enable

group-policy DfltGrpPolicy attributes vpn-tunnel-protocol l2tp-ipsec webvpn

group-policy xxx-xxx-xxx internal

group-policy xxx-xxx-xxx attributes wins-server value x.x.x.x dns-server value x.x.x.x vpn-tunnel-protocol IPSec svc password-storage disable default-domain value msie-proxy method use-pac msie-proxy pac-url value webvpn svc keep-installer installed svc keepalive 45 svc ask none default svc

tunnel-group xxx-xxx-xxx type remote-access tunnel-group xxx-xxx-xxx general-attributes address-pool vpn-pool1 authentication-server-group xxx LOCAL accounting-server-group xxx-ACS default-group-policy xxx-xxx-xxx

tunnel-group xxx-xxx-xxx webvpn-attributes radius-reject-message proxy-auth sdi group-alias xxx-xxx-xxxl enable group-url https://x.x.x.x/vpn enable

tunnel-group xxx-xxx-xxx ipsec-attributes pre-shared-key * ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns migrated_dns_map_1 parameters message-length maximum 8192 policy-map global_policy class inspection_default inspect dns migrated_dns_map_1 inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect icmp inspect http ! service-policy global_policy interface inside

prompt hostname context Cryptochecksum:2ff8d65543db989b2aab3bfa1600cc10 : end ASA#

thank you for your help

Reply to


s messages pr=E9c=E9dents -

it is just something new with the ASA model. The old Pix did not require it. The ACL you create should be used to filter inbound activity to inside hosts. The ASA should block all traffic to all hosts inbound unless you create a nat rule for any given host from an outside to an inside address.

ACls on the ASA should be used as follows

1 if no nat,vpn rules are present then no acl is needed(in this case all the firewall is doing is providing nat to the outside world. No nonestablished traffic will be permitted back to the inside interfaces.

2 if vpn is present then ACL is required to define interesting traffic and limit connectivity

3 if nat rules are present then create acl to filter traffic that is allowed to connect to the outside ip address.

Your way of thinking works on the old PIX as well as Cisco IOS routers. Keep in mind ACL's are "match first" then execute the acl statement it matches. Which means if your first statement is deny any any, then no other rule will be checked. ICMP just seems to be handled differently on the new ASA's


Reply to


des messages pr=E9c=E9dents -

nat is not used. there are no traffic initiated from inside. it only terminates ssl vpn from outside. the acl outside is deny anything i can understnad vpn config override the acl, but not icmp...

this means i m not sure the acl works, and that is why I can not download the dynamic acl from the acs behind.

thank you anyway.


Reply to
nini Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.