Access List not working correctly ASA 5520

Hi all,

We've had a network add and have two inline firewalls. On the second
firewall it appears that our inbound access-list is not working.

To test we've currently got:

access-list inside_in extended deny ip any any log
access-group inside_in in interface inside

The problem we have is that we can still ping the second firewall even
though all IP traffic should be denied. Has anyone ever come across
this, and if so, do they know of a fix?

We do have a second access-list called outside_in which is applied
inbound on the outside interface. Could this cause a conflict?

Many thanks,

Chris
Chris [ Di, 10 Juli 2007 19:34 ] [ ID #1765037 ]

Re: Access List not working correctly ASA 5520

In article <1184088852.924846.276930 [at] o61g2000hsh.googlegroups.com>,
Chris <christopher.bloomfield [at] bt.com> wrote:

>We've had a network add and have two inline firewalls. On the second
>firewall it appears that our inbound access-list is not working.

>To test we've currently got:
>
>access-list inside_in extended deny ip any any log
>access-group inside_in in interface inside

That's an outbound access-list, not an inbound access-list.

>The problem we have is that we can still ping the second firewall even
>though all IP traffic should be denied. Has anyone ever come across
>this, and if so, do they know of a fix?

Pinging a PIX or ASA firewall is not controlled by access-group .
Pinging a PIX or ASA firewall is controlled by the 'icmp' command.
roberson [ Mi, 11 Juli 2007 07:56 ] [ ID #1766108 ]

Re: Access List not working correctly ASA 5520

On 11 Jul, 06:56, rober... [at] hushmail.com (Walter Roberson) wrote:
> In article <1184088852.924846.276... [at] o61g2000hsh.googlegroups.com>,
>
> Chris <christopher.bloomfi... [at] bt.com> wrote:
> >We've had a network add and have two inline firewalls. On the second
> >firewall it appears that our inbound access-list is not working.
> >To test we've currently got:
>
> >access-list inside_in extended deny ip any any log
> >access-group inside_in in interface inside
>
> That's an outbound access-list, not an inbound access-list.
>

Sorry, I was implying it was inbound relative to the firewall. But
yes, it is outbound.

> >The problem we have is that we can still ping the second firewall even
> >though all IP traffic should be denied. Has anyone ever come across
> >this, and if so, do they know of a fix?
>
> Pinging a PIX or ASA firewall is not controlled by access-group .
> Pinging a PIX or ASA firewall is controlled by the 'icmp' command.

First I knew of that.

Many thanks,

Chris
Chris [ Mi, 11 Juli 2007 09:30 ] [ ID #1766110 ]
Miscellaneous » comp.security.firewalls » Access List not working correctly ASA 5520

Vorheriges Thema: Who so little corporate Vista adoption?
Nächstes Thema: NEW FREE CGI WEB PROXY - www.3urf.info

[ Startseite ] [ Administrator ] [ Suche ] [ Hinweise ] [ Impressum ]

Powered by FudForum