ve a real problem configuring acl on the ASA 8.0(3)
it is just a single acl that i m trying
(config) access-list OUTSIDE extended deny icmp any any (config) access-group OUTSIDE in interface outside
but still from interent i can ping.
i m sure that outside is "outside".
is here anything i miss ?
i checked with asdm, all config was right. I restet the interface config too its default : an implicit rule which deny ip any to any. i tested from outside, and still i can ping!!
I was wondering if there were some vpn rule that override thes acl
there are no pix reference ion my asa 8.0(3) instead a device manager 6.1(1)
on the document you mention, it is clealry says that icmp are denied by default, as in my config, (outside interface, inbound) but i dont understnad why my asa can ping'ed from outside. it is not only icmp, but all ports.
type this from within global config mode. icmp deny any outside
The reason they can ping is because it is not in your config. In the new ASA appliances icmp is handled a little differently. If that does not work then post your config. make sure you remove ip addresses prior to posting.
but normally the implicit rule (deny ip any any, outside, inbound) should not allow this. do you think it is an exception only for icmp traffic ? how can i create an acl which woulf deny all connections from outside ?
i tried with the following commands
access-list test extended deny ip any any log debugging access-list test extended deny icmp any any log debugging access-group test in interface outside
i need to create an acl which works, otherwise i can not work with the dyn acl and the acs whihc stand behinds..
I am confused! Did the command I gave you not work to block the ICMP traffice? if that is the case then search your config for
icmp permit statement.
This statement only blocks the defined ICMP type that is in the configuration. to the outside interface or what ever interface you define in the command.
You will still be able to open ports to any NAT'd address. That is controlled with an ACL.
I need to see your config in order to see what else is going on in your configuration if icmp is still being allowed.
yes the command you mentionned did block the icmp traffic. what i dont understand is why i m supposed to type this command to block the icmp as i have already an implicit access rule which deny all traffic (from outside, inbound)
access-list test extended deny ip any any log debugging access-list test extended deny icmp any any log debugging access-group test in interface outside
normally, accordind to my belief, this access rule should have blocked icmp as well.
so to deny all traffic you have to create an acces rule to deny everything AND in addition block icmp with such command AND or is there something going strange with acl ?
here is my config for info.
ASA Version 8.0(3) ! hostname ASA domain-name **** enable password **** encrypted names dns-guard ! interface Ethernet0/0 description Public DMZ speed 1000 duplex full nameif outside security-level 0 ip address ! interface Ethernet0/1 description Private DMZ speed 1000 duplex full nameif inside security-level 100 ip address
dns server-group DefaultDNS domain-name xxx.xxx.com access-list test extended deny ip any any log debugging access-list test extended deny icmp any any log debugging
ip local pool vpn-pool1 10.x.x.1-10.x.x.254 mask 255.255.255.0 ip verify reverse-path interface outside ip verify reverse-path interface inside ip audit name Drop_Attack attack action alarm drop ip audit name Alarm_info info action alarm ip audit name Alarm_attack attack action alarm ip audit interface outside Alarm_info ip audit interface outside Drop_Attack ip audit interface inside Alarm_info ip audit interface inside Alarm_attack ip audit signature 2000 disable ip audit signature 2001 disable ip audit signature 2004 disable ip audit signature 2005 disable ip audit signature 6051 disable icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-611.bin asdm history enable arp timeout 14400 access-group test in interface outside
it is just something new with the ASA model. The old Pix did not require it. The ACL you create should be used to filter inbound activity to inside hosts. The ASA should block all traffic to all hosts inbound unless you create a nat rule for any given host from an outside to an inside address.
ACls on the ASA should be used as follows
1 if no nat,vpn rules are present then no acl is needed(in this case all the firewall is doing is providing nat to the outside world. No nonestablished traffic will be permitted back to the inside interfaces.
2 if vpn is present then ACL is required to define interesting traffic and limit connectivity
3 if nat rules are present then create acl to filter traffic that is allowed to connect to the outside ip address.
Your way of thinking works on the old PIX as well as Cisco IOS routers. Keep in mind ACL's are "match first" then execute the acl statement it matches. Which means if your first statement is deny any any, then no other rule will be checked. ICMP just seems to be handled differently on the new ASA's
nat is not used. there are no traffic initiated from inside. it only terminates ssl vpn from outside. the acl outside is deny anything i can understnad vpn config override the acl, but not icmp...
this means i m not sure the acl works, and that is why I can not download the dynamic acl from the acs behind.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.