Access List not working correctly ASA 5520

Access List not working correctly ASA 5520

am 10.07.2007 19:34:12 von Chris

Hi all,

We've had a network add and have two inline firewalls. On the second
firewall it appears that our inbound access-list is not working.

To test we've currently got:

access-list inside_in extended deny ip any any log
access-group inside_in in interface inside

The problem we have is that we can still ping the second firewall even
though all IP traffic should be denied. Has anyone ever come across
this, and if so, do they know of a fix?

We do have a second access-list called outside_in which is applied
inbound on the outside interface. Could this cause a conflict?

Many thanks,

Chris

Re: Access List not working correctly ASA 5520

am 11.07.2007 07:56:25 von roberson

In article <1184088852.924846.276930@o61g2000hsh.googlegroups.com>,
Chris wrote:

>We've had a network add and have two inline firewalls. On the second
>firewall it appears that our inbound access-list is not working.

>To test we've currently got:
>
>access-list inside_in extended deny ip any any log
>access-group inside_in in interface inside

That's an outbound access-list, not an inbound access-list.

>The problem we have is that we can still ping the second firewall even
>though all IP traffic should be denied. Has anyone ever come across
>this, and if so, do they know of a fix?

Pinging a PIX or ASA firewall is not controlled by access-group .
Pinging a PIX or ASA firewall is controlled by the 'icmp' command.

Re: Access List not working correctly ASA 5520

am 11.07.2007 09:30:53 von Chris

On 11 Jul, 06:56, rober...@hushmail.com (Walter Roberson) wrote:
> In article <1184088852.924846.276...@o61g2000hsh.googlegroups.com>,
>
> Chris wrote:
> >We've had a network add and have two inline firewalls. On the second
> >firewall it appears that our inbound access-list is not working.
> >To test we've currently got:
>
> >access-list inside_in extended deny ip any any log
> >access-group inside_in in interface inside
>
> That's an outbound access-list, not an inbound access-list.
>

Sorry, I was implying it was inbound relative to the firewall. But
yes, it is outbound.

> >The problem we have is that we can still ping the second firewall even
> >though all IP traffic should be denied. Has anyone ever come across
> >this, and if so, do they know of a fix?
>
> Pinging a PIX or ASA firewall is not controlled by access-group .
> Pinging a PIX or ASA firewall is controlled by the 'icmp' command.

First I knew of that.

Many thanks,

Chris