Rahe,
You need to enable inspection for ICMP which is not on by default.
On Thu, Feb 18, 2010 at 12:19 PM, rahe wum <waseela.mem_at_gmail.com> wrote:
> Hi,
>
> I have created one ACL on ASA permitting only ICMP/HTTP traffic inbound on
> outside interface, and on ACL permitting ICMP/Telnet outbound on outside
> interface.
>
> access-list OUT_IN extended permit icmp any any echo
> access-list OUT_IN extended permit icmp any any echo-reply
> access-list OUT_IN extended permit tcp any host 10.0.0.100 eq www
>
> access-list OUT_OUT extended permit icmp any any echo
> access-list OUT_OUT extended permit icmp any any echo-reply
> access-list OUT_OUT extended permit tcp any any eq telnet
>
> How the return traffic for telnet is permitted when (if i remove icmp ACE
> from OIT_IN) the return traffic for icmp is not...
>
> I am asking the question with the perspective that after we put outbound
> ACL
> on outside interface it will override the default inspection...and whatever
> traffic we permit in the ACL will be allowed outside...
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>
-- Bryan Bartik CCIE #23707 (R&S, SP), CCNP Sr. Support Engineer - IPexpert, Inc. URL: http://www.IPexpert.com Blogs and organic groups at http://www.ccie.netReceived on Thu Feb 18 2010 - 12:40:55 ART
This archive was generated by hypermail 2.2.0 : Mon Mar 01 2010 - 06:28:36 ART