Re: ACL Behavior

Telnet traffic will be stateful, but icmp traffic will not be
stateful. It is also not defined under the global policy as Bryan
said.

Regards,
Anser

On Thu, Feb 18, 2010 at 10:40 PM, Bryan Bartik <bbartik_at_ipexpert.com> wrote:
> Rahe,
>
> You need to enable inspection for ICMP which is not on by default.
>
> On Thu, Feb 18, 2010 at 12:19 PM, rahe wum <waseela.mem_at_gmail.com> wrote:
>
>> Hi,
>>
>> I have created one ACL on ASA permitting only ICMP/HTTP traffic inbound on
>> outside interface, and on ACL permitting ICMP/Telnet outbound on outside
>> interface.
>>
>> access-list OUT_IN extended permit icmp any any echo
>> access-list OUT_IN extended permit icmp any any echo-reply
>> access-list OUT_IN extended permit tcp any host 10.0.0.100 eq www
>>
>> access-list OUT_OUT extended permit icmp any any echo
>> access-list OUT_OUT extended permit icmp any any echo-reply
>> access-list OUT_OUT extended permit tcp any any eq telnet
>>
>> How the return traffic for telnet is permitted when (if i remove icmp ACE
>> from OIT_IN) the return traffic for icmp is not...
>>
>> I am asking the question with the perspective that after we put outbound
>> ACL
>> on outside interface it will override the default inspection...and whatever
>> traffic we permit in the ACL will be allowed outside...
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>>
>>
>>
>>
>>
>>
>
>
> --
> Bryan Bartik
> CCIE #23707 (R&S, SP), CCNP
> Sr. Support Engineer - IPexpert, Inc.
> URL: http://www.IPexpert.com
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Fri Feb 19 2010 - 00:33:15 ART