Access List not working correctly ASA 5520

Secure Home | Search | About

Lost Password?

Networking Firewalls

get this group's latest topics as an RSS feed

add this group's latest topics to your My MSN content

add this group's latest topics to your My Yahoo content

add this group's latest topics to your Google content

Subject

Author

Date

Access List not working correctly ASA 5520

Chris

07-10-2007

Re: Access List not working correctly ASA 5520

Walter Roberson

07-11-2007

Re: Access List not working correctly ASA 5520

Chris

07-11-2007

Posted by Chris on July 10, 2007, 1:34 pm

If you were Registered and logged in, you could reply and use other advanced thread options

Hi all,

We've had a network add and have two inline firewalls. On the second
firewall it appears that our inbound access-list is not working.

To test we've currently got:

access-list inside_in extended deny ip any any log
access-group inside_in in interface inside

The problem we have is that we can still ping the second firewall even
though all IP traffic should be denied. Has anyone ever come across
this, and if so, do they know of a fix?

We do have a second access-list called outside_in which is applied
inbound on the outside interface. Could this cause a conflict?

Many thanks,

Chris

Posted by Walter Roberson on July 11, 2007, 1:56 am

If you were Registered and logged in, you could reply and use other advanced thread options

>We've had a network add and have two inline firewalls. On the second

>firewall it appears that our inbound access-list is not working.

>To test we've currently got:

>access-list inside_in extended deny ip any any log

>access-group inside_in in interface inside

That's an outbound access-list, not an inbound access-list.

>The problem we have is that we can still ping the second firewall even

>though all IP traffic should be denied. Has anyone ever come across

>this, and if so, do they know of a fix?

Pinging a PIX or ASA firewall is not controlled by access-group .
Pinging a PIX or ASA firewall is controlled by the 'icmp' command.

Posted by Chris on July 11, 2007, 3:30 am

If you were Registered and logged in, you could reply and use other advanced thread options

On 11 Jul, 06:56, rober...@hushmail.com (Walter Roberson) wrote:

> >We've had a network add and have two inline firewalls. On the second

> >firewall it appears that our inbound access-list is not working.

> >To test we've currently got:

> >access-list inside_in extended deny ip any any log

> >access-group inside_in in interface inside

> That's an outbound access-list, not an inbound access-list.

Sorry, I was implying it was inbound relative to the firewall. But
yes, it is outbound.

> >The problem we have is that we can still ping the second firewall even

> >though all IP traffic should be denied. Has anyone ever come across

> >this, and if so, do they know of a fix?

> Pinging a PIX or ASA firewall is not controlled by access-group .

> Pinging a PIX or ASA firewall is controlled by the 'icmp' command.

First I knew of that.

Many thanks,

Chris

Similar Threads	Posted
NEW LIST OF WORKING PROXIES	August 11, 2007, 11:29 am
Access List.	September 22, 2005, 7:15 pm
Re: access-list protocol or port will not be used	July 30, 2004, 1:48 pm
Create "Yes List" to restrict web access?	August 17, 2005, 8:29 pm
eBay: Cisco ASA 5520 firewall	November 28, 2007, 1:21 pm
Sonicwall not forwading SMTP correctly..	November 7, 2006, 8:52 pm
Why wont this IPTables script work correctly	August 16, 2007, 4:15 pm
Phone Home List.....................................please add yours	January 20, 2006, 4:36 pm
anonymous proxy list	October 11, 2007, 6:18 am
H323 aware firewall list	November 12, 2004, 8:15 pm

The site map in XML format XML site map