Back
Lesson 1 of 6

Access Control Policy Fundamentals

Objective

In this lesson you will learn how to create and apply basic access control policies on an ASA/FTD-class firewall appliance, and how intrusion (IPS) verdicts can affect access-control decisions. You will configure inbound ACLs to permit ICMP echo-replies from lower-security interfaces, verify connectivity, and observe how an IPS can block traffic before an access-control rule is matched. This matters in production because ICMP (and other stateless protocols) require explicit handling on firewalls — without it, legitimate replies are often dropped — and intrusion policies can take precedence and silently terminate flows.

Real-world scenario: a datacenter firewall separates Inside (trusted) hosts from DMZ and Internet. Inside hosts initiate pings and SSH to servers outside. The firewall must allow replies back in, but an intrusion signature on the firewall can still detect and drop malicious traffic before your ACLs log or allow it.

Topology & Device Table

ASCII topology (exact interface names and IPs drawn from the reference material):

        [R1 - Inside Router]
        Lo0: 1.1.1.1
             |
             | 192.168.75.0/24
             |
        ASA-FW (inside) 192.168.75.14
        ASA-FW (dmz)   192.168.76.14
        ASA-FW (outside)192.168.77.40
             |
             | 192.168.77.0/24
             |
        [Internet Router]
        Lo0: 2.2.2.2

Device Table

DeviceInterfaceIP AddressSubnet MaskRole
R1Lo01.1.1.1/32 (loopback)Inside test source
ASA-FWinside192.168.75.14255.255.255.0Firewall inside IF
ASA-FWdmz192.168.76.14255.255.255.0Firewall DMZ IF
ASA-FWoutside (Gi0/1)192.168.77.40255.255.255.0Firewall outside IF
InternetLo02.2.2.2/32 (remote host)Remote ping target

Tip: The ASA/FTD has interfaces named “inside”, “dmz”, and “outside” in the examples. Exact IPs are taken from the reference output so verification commands match what you will see.

Key Concepts

  • Access Control Lists (ACLs) & Access-Groups: On ASA, ACLs define permitted or denied traffic; applying an ACL to an interface with access-group enforces the policy. ACLs applied inbound on a lower-security interface are commonly needed to permit replies for stateless protocols (like ICMP) originated from a higher-security interface.

    • Protocol behavior: ICMP is stateless on ASA by default — replies are not tracked unless you enable inspection or explicitly permit the reply via an inbound ACL.

  • Rule evaluation order: The firewall evaluates intrusion (IPS) checks before the final access-control decision in many modern FTD architectures. This means an IPS drop can terminate a session before the AC policy logs or allows it.

    • Practical consequence: Even if an AC rule says “Trust”, the IPS can still block and blacklist the flow first.

  • ICMP echo-reply vs. echo-request: To allow a host inside to ping an outside host, you must permit the return ICMP echo-reply on the interface where the reply arrives. On ASA this is commonly implemented with an ACL that permits icmp any any echo-reply.

  • Logging & troubleshooting: Use show logging | include connection, show conn ..., and packet captures to understand how the firewall processed a flow — whether it created a connection, tore it down, or dropped it due to IPS or file policy.

  • Analogy: Think of the firewall as a multi-stage security checkpoint: IPS screening (sniffer) checks packages first; then the ACL officer decides entry. If the sniffer flags something hazardous, it can remove the package before the officer ever sees it.

Step-by-step configuration

Step 1: Create ACL to permit ICMP echo-reply on the outside interface

What we are doing: Permit ICMP echo-reply packets inbound on the outside interface so that pings initiated from inside (higher security) can get responses back from the outside network. This addresses ICMP's statelessness on ASA.

ASA-FW# configure terminal
ASA-FW(config)# access-list OUTSIDE_IN permit icmp any any echo-reply
ASA-FW(config)# exit

What just happened: The access-list command creates a named ACL OUTSIDE_IN that permits ICMP echo-reply traffic from any source to any destination. Because ICMP replies are not connection-tracked by default on ASA, adding this explicit rule allows the inbound reply packets to traverse the outside interface back to the originator.

Real-world note: In production, teams often permit only specific source networks in the ACL instead of any, limiting exposure. Using any is acceptable for lab demonstration but not recommended for production.

Verify:

ASA-FW# show access-list OUTSIDE_IN
access-list OUTSIDE_IN; 1 elements
access-list OUTSIDE_IN line 1 extended permit icmp any any echo-reply


<div class="topology-diagram">
<img src="data:image/svg+xml;base64,PD9wbGFudHVtbCAxLjIwMjYuMT8+PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIiBjb250ZW50U3R5bGVUeXBlPSJ0ZXh0L2NzcyIgZGF0YS1kaWFncmFtLXR5cGU9Ik5XRElBRyIgaGVpZ2h0PSI0MzhweCIgcHJlc2VydmVBc3BlY3RSYXRpbz0ibm9uZSIgc3R5bGU9IndpZHRoOjMzOXB4O2hlaWdodDo0MzhweDtiYWNrZ3JvdW5kOiNGRkZGRkY7IiB2ZXJzaW9uPSIxLjEiIHZpZXdCb3g9IjAgMCAzMzkgNDM4IiB3aWR0aD0iMzM5cHgiIHpvb21BbmRQYW49Im1hZ25pZnkiPjxkZWZzLz48Zz48dGV4dCBmaWxsPSIjMDAwMDAwIiBmb250LWZhbWlseT0ic2Fucy1zZXJpZiIgZm9udC1zaXplPSIxMiIgbGVuZ3RoQWRqdXN0PSJzcGFjaW5nIiB0ZXh0TGVuZ3RoPSI2NS42MDE2IiB4PSIzOC44NjcyIiB5PSIxNi4xMzg3Ij5JbnNpZGVfTEFOPC90ZXh0Pjx0ZXh0IGZpbGw9IiMwMDAwMDAiIGZvbnQtZmFtaWx5PSJzYW5zLXNlcmlmIiBmb250LXNpemU9IjEyIiBsZW5ndGhBZGp1c3Q9InNwYWNpbmciIHRleHRMZW5ndGg9Ijk5LjQ2ODgiIHg9IjUiIHk9IjMwLjEwNzQiPjE5Mi4xNjguNzUuMC8yNDwvdGV4dD48dGV4dCBmaWxsPSIjMDAwMDAwIiBmb250LWZhbWlseT0ic2Fucy1zZXJpZiIgZm9udC1zaXplPSIxMiIgbGVuZ3RoQWRqdXN0PSJzcGFjaW5nIiB0ZXh0TGVuZ3RoPSIyNy44MTQ1IiB4PSI3Ni42NTQzIiB5PSIxNzEuMzI2MiI+RE1aPC90ZXh0Pjx0ZXh0IGZpbGw9IiMwMDAwMDAiIGZvbnQtZmFtaWx5PSJzYW5zLXNlcmlmIiBmb250LXNpemU9IjEyIiBsZW5ndGhBZGp1c3Q9InNwYWNpbmciIHRleHRMZW5ndGg9Ijk5LjQ2ODgiIHg9IjUiIHk9IjE4NS4yOTQ5Ij4xOTIuMTY4Ljc2LjAvMjQ8L3RleHQ+PHRleHQgZmlsbD0iIzAwMDAwMCIgZm9udC1mYW1pbHk9InNhbnMtc2VyaWYiIGZvbnQtc2l6ZT0iMTIiIGxlbmd0aEFkanVzdD0ic3BhY2luZyIgdGV4dExlbmd0aD0iNDcuODU5NCIgeD0iNTYuNjA5NCIgeT0iMzAwLjkwNDMiPkludGVybmV0PC90ZXh0Pjx0ZXh0IGZpbGw9IiMwMDAwMDAiIGZvbnQtZmFtaWx5PSJzYW5zLXNlcmlmIiBmb250LXNpemU9IjEyIiBsZW5ndGhBZGp1c3Q9InNwYWNpbmciIHRleHRMZW5ndGg9Ijk5LjQ2ODgiIHg9IjUiIHk9IjMxNC44NzMiPjE5Mi4xNjguNzcuMC8yNDwvdGV4dD48cmVjdCBmaWxsPSIjRTJFMkYwIiBoZWlnaHQ9IjUiIHN0eWxlPSJzdHJva2U6IzE4MTgxODtzdHJva2Utd2lkdGg6MTsiIHdpZHRoPSIyMjIuMzExIiB4PSIxMDkuNDY4OCIgeT0iMTYuNDY4OCIvPjxyZWN0IGZpbGw9IiNFMkUyRjAiIGhlaWdodD0iNSIgc3R5bGU9InN0cm9rZTojMTgxODE4O3N0cm9rZS13aWR0aDoxOyIgd2lkdGg9IjIyMi4zMTEiIHg9IjEwOS40Njg4IiB5PSIxNzEuNjU2MyIvPjxyZWN0IGZpbGw9IiNFMkUyRjAiIGhlaWdodD0iNSIgc3R5bGU9InN0cm9rZTojMTgxODE4O3N0cm9rZS13aWR0aDoxOyIgd2lkdGg9IjIyMi4zMTEiIHg9IjEwOS40Njg4IiB5PSIzMDEuMjM0NCIvPjxwYXRoIGQ9Ik0xNzIuMzg2NywyMS40Njg4IEwxNzIuMzg2Nyw3Ny4wNzgxIiBmaWxsPSJub25lIiBzdHlsZT0ic3Ryb2tlOiMxODE4MTg7c3Ryb2tlLXdpZHRoOjE7Ii8+PHRleHQgZmlsbD0iIzAwMDAwMCIgZm9udC1mYW1pbHk9InNhbnMtc2VyaWYiIGZvbnQtc2l6ZT0iMTEiIGxlbmd0aEFkanVzdD0ic3BhY2luZyIgdGV4dExlbmd0aD0iODAuNDc1MSIgeD0iMTMyLjE0OTIiIHk9IjQ0LjE3OTIiPjE5Mi4xNjguNzUuMzk8L3RleHQ+PHRleHQgZmlsbD0iIzAwMDAwMCIgZm9udC1mYW1pbHk9InNhbnMtc2VyaWYiIGZvbnQtc2l6ZT0iMTEiIGxlbmd0aEFkanVzdD0ic3BhY2luZyIgdGV4dExlbmd0aD0iMjkuMjgzMiIgeD0iMTMyLjE0OTIiIHk9IjU2Ljk4MzkiPkdpMC8wPC90ZXh0PjxwYXRoIGQ9Ik0yODMuNTQyMiwyMS40Njg4IEwyODMuNTQyMiw3Ny4wNzgxIiBmaWxsPSJub25lIiBzdHlsZT0ic3Ryb2tlOiMxODE4MTg7c3Ryb2tlLXdpZHRoOjE7Ii8+PHRleHQgZmlsbD0iIzAwMDAwMCIgZm9udC1mYW1pbHk9InNhbnMtc2VyaWYiIGZvbnQtc2l6ZT0iMTEiIGxlbmd0aEFkanVzdD0ic3BhY2luZyIgdGV4dExlbmd0aD0iODAuNDc1MSIgeD0iMjQzLjMwNDciIHk9IjQ0LjE3OTIiPjE5Mi4xNjguNzUuMTQ8L3RleHQ+PHRleHQgZmlsbD0iIzAwMDAwMCIgZm9udC1mYW1pbHk9InNhbnMtc2VyaWYiIGZvbnQtc2l6ZT0iMTEiIGxlbmd0aEFkanVzdD0ic3BhY2luZyIgdGV4dExlbmd0aD0iMTEuNDcyNyIgeD0iMjQzLjMwNDciIHk9IjU2Ljk4MzkiPklOPC90ZXh0PjxwYXRoIGQ9Ik0yNzkuMDQyMiwxMTEuMDQ2OSBMMjc5LjA0MjIsMTcxLjY1NjMiIGZpbGw9Im5vbmUiIHN0eWxlPSJzdHJva2U6IzE4MTgxODtzdHJva2Utd2lkdGg6MTsiLz48dGV4dCBmaWxsPSIjMDAwMDAwIiBmb250LWZhbWlseT0ic2Fucy1zZXJpZiIgZm9udC1zaXplPSIxMSIgbGVuZ3RoQWRqdXN0PSJzcGFjaW5nIiB0ZXh0TGVuZ3RoPSI3My40NzY2IiB4PSIyMDUuNTY1NyIgeT0iMTM4Ljc1NzMiPjE5Mi4xNjguNzYuMTwvdGV4dD48dGV4dCBmaWxsPSIjMDAwMDAwIiBmb250LWZhbWlseT0ic2Fucy1zZXJpZiIgZm9udC1zaXplPSIxMSIgbGVuZ3RoQWRqdXN0PSJzcGFjaW5nIiB0ZXh0TGVuZ3RoPSIyNS40OTY2IiB4PSIyMDUuNTY1NyIgeT0iMTUxLjU2MiI+RE1aPC90ZXh0PjxwYXRoIGQ9Ik0yODQuMDQyMiwxMTEuMDQ2OSBMMjg0LjA0MjIsMTY4LjY1NjMgQTQsNCAwIDAgMSAyODQuMDQyMiwxODAuNjU2MyBMMjg0LjA0MjIsMzAxLjIzNDQiIGZpbGw9Im5vbmUiIHN0eWxlPSJzdHJva2U6IzE4MTgxODtzdHJva2Utd2lkdGg6MTsiLz48dGV4dCBmaWxsPSIjMDAwMDAwIiBmb250LWZhbWlseT0ic2Fucy1zZXJpZiIgZm9udC1zaXplPSIxMSIgbGVuZ3RoQWRqdXN0PSJzcGFjaW5nIiB0ZXh0TGVuZ3RoPSI4MC40NzUxIiB4PSIyNDMuODA0NyIgeT0iMjY4LjMzNTQiPjE5Mi4xNjguNzcuMjM8L3RleHQ+PHRleHQgZmlsbD0iIzAwMDAwMCIgZm9udC1mYW1pbHk9InNhbnMtc2VyaWYiIGZvbnQtc2l6ZT0iMTEiIGxlbmd0aEFkanVzdD0ic3BhY2luZyIgdGV4dExlbmd0aD0iMjMuNDI4NyIgeD0iMjQzLjgwNDciIHk9IjI4MS4xNDAxIj5PVVQ8L3RleHQ+PHBhdGggZD0iTTE2OC4zODY3LDE3Ni42NTYzIEwxNjguMzg2NywyMTkuNDYwOSIgZmlsbD0ibm9uZSIgc3R5bGU9InN0cm9rZTojMTgxODE4O3N0cm9rZS13aWR0aDoxOyIvPjx0ZXh0IGZpbGw9IiMwMDAwMDAiIGZvbnQtZmFtaWx5PSJzYW5zLXNlcmlmIiBmb250LXNpemU9IjExIiBsZW5ndGhBZGp1c3Q9InNwYWNpbmciIHRleHRMZW5ndGg9IjgwLjQ3NTEiIHg9IjEyOC4xNDkyIiB5PSIxOTIuOTY0NCI+MTkyLjE2OC43Ni4xNDwvdGV4dD48dGV4dCBmaWxsPSIjMDAwMDAwIiBmb250LWZhbWlseT0ic2Fucy1zZXJpZiIgZm9udC1zaXplPSIxMSIgbGVuZ3RoQWRqdXN0PSJzcGFjaW5nIiB0ZXh0TGVuZ3RoPSIyNS4wNTA4IiB4PSIxMjguMTQ5MiIgeT0iMjA1Ljc2OSI+ZXRoMDwvdGV4dD48cGF0aCBkPSJNMTcyLjM4NjcsMzA2LjIzNDQgTDE3Mi4zODY3LDM0OS4wMzkxIiBmaWxsPSJub25lIiBzdHlsZT0ic3Ryb2tlOiMxODE4MTg7c3Ryb2tlLXdpZHRoOjE7Ii8+PHRleHQgZmlsbD0iIzAwMDAwMCIgZm9udC1mYW1pbHk9InNhbnMtc2VyaWYiIGZvbnQtc2l6ZT0iMTEiIGxlbmd0aEFkanVzdD0ic3BhY2luZyIgdGV4dExlbmd0aD0iODAuNDc1MSIgeD0iMTMyLjE0OTIiIHk9IjMyMi41NDI1Ij4xOTIuMTY4Ljc3LjQwPC90ZXh0Pjx0ZXh0IGZpbGw9IiMwMDAwMDAiIGZvbnQtZmFtaWx5PSJzYW5zLXNlcmlmIiBmb250LXNpemU9IjExIiBsZW5ndGhBZGp1c3Q9InNwYWNpbmciIHRleHRMZW5ndGg9IjE2LjQ3ODUiIHg9IjEzMi4xNDkyIiB5PSIzMzUuMzQ3MiI+UnRyPC90ZXh0PjxyZWN0IGZpbGw9IiNGMUYxRjEiIGhlaWdodD0iMzMuOTY4OCIgc3R5bGU9InN0cm9rZTojMTgxODE4O3N0cm9rZS13aWR0aDowLjU7IiB3aWR0aD0iNDMuMjUiIHg9IjE0OC43NjE3IiB5PSI3Ny4wNzgxIi8+PHRleHQgZmlsbD0iIzAwMDAwMCIgZm9udC1mYW1pbHk9InNhbnMtc2VyaWYiIGZvbnQtc2l6ZT0iMTIiIGxlbmd0aEFkanVzdD0ic3BhY2luZyIgdGV4dExlbmd0aD0iMjMuMjUiIHg9IjE1OC43NjE3IiB5PSI5OC4yMTY4Ij5QQzE8L3RleHQ+PHJlY3QgZmlsbD0iI0YxRjFGMSIgaGVpZ2h0PSIzMy45Njg4IiBzdHlsZT0ic3Ryb2tlOiMxODE4MTg7c3Ryb2tlLXdpZHRoOjAuNTsiIHdpZHRoPSI2OC44MDI3IiB4PSIyNDcuMTQwOSIgeT0iNzcuMDc4MSIvPjx0ZXh0IGZpbGw9IiMwMDAwMDAiIGZvbnQtZmFtaWx5PSJzYW5zLXNlcmlmIiBmb250LXNpemU9IjEyIiBsZW5ndGhBZGp1c3Q9InNwYWNpbmciIHRleHRMZW5ndGg9IjQ4LjgwMjciIHg9IjI1Ny4xNDA5IiB5PSI5OC4yMTY4Ij5BU0FfRlc8L3RleHQ+PHJlY3QgZmlsbD0iI0YxRjFGMSIgaGVpZ2h0PSIzMy45Njg4IiBzdHlsZT0ic3Ryb2tlOiMxODE4MTg7c3Ryb2tlLXdpZHRoOjAuNTsiIHdpZHRoPSI3Ny45Nzg1IiB4PSIxMzEuMzk3NSIgeT0iMjE5LjQ2MDkiLz48dGV4dCBmaWxsPSIjMDAwMDAwIiBmb250LWZhbWlseT0ic2Fucy1zZXJpZiIgZm9udC1zaXplPSIxMiIgbGVuZ3RoQWRqdXN0PSJzcGFjaW5nIiB0ZXh0TGVuZ3RoPSI1Ny45Nzg1IiB4PSIxNDEuMzk3NSIgeT0iMjQwLjU5OTYiPkRNWl9TUlY8L3RleHQ+PHJlY3QgZmlsbD0iI0YxRjFGMSIgaGVpZ2h0PSIzMy45Njg4IiBzdHlsZT0ic3Ryb2tlOiMxODE4MTg7c3Ryb2tlLXdpZHRoOjAuNTsiIHdpZHRoPSI5MS44MzU5IiB4PSIxMjQuNDY4OCIgeT0iMzQ5LjAzOTEiLz48dGV4dCBmaWxsPSIjMDAwMDAwIiBmb250LWZhbWlseT0ic2Fucy1zZXJpZiIgZm9udC1zaXplPSIxMiIgbGVuZ3RoQWRqdXN0PSJzcGFjaW5nIiB0ZXh0TGVuZ3RoPSI3MS44MzU5IiB4PSIxMzQuNDY4OCIgeT0iMzcwLjE3NzciPkludGVybmV0X1J0cjwvdGV4dD48P3BsYW50dW1sLXNyYyBvb2pGb0tuQ0x3WmNLYjM4SW9xZnBvX0FMbDNDQXl2Q0lPdHRTVkczMm9pZTlBUWE1QUtNNW9sT0FZV1BNWGhmNlBmUHc5Y1J3WGRlNnZhZVdVSzNkMHFMZWg0aENoUUNvTkZGREQwdEs4Z3IxZ2pyMzdRQ1RtbDdmVHBHOTJSRnFtLVlqWFI5SUl3LUtOWlNPZVJhNWRwY2MtYVBua0cxWk9BdjFTWUMzbXVBbXdhT3c5WkthV20zSkVUdXZmTWE1VzR2VURuYUpnSVJwRk1DWjZGb180RDNPOHcyY0hxVkw1QTRJdWs5R0ttVUsxaGNpNWUwPz48L2c+PC9zdmc+" alt="Network Topology Diagram" style="max-width:100%;height:auto;background:#fff;padding:16px;border:1px solid #e5e7eb;border-radius:8px;" />
</div>

cisco
ASA-FW# configure terminal
ASA-FW(config)# access-list DMZ_IN permit icmp any any echo-reply
ASA-FW(config)# exit

What just happened: A second named ACL DMZ_IN is created that allows ICMP echo-reply traffic arriving on the DMZ interface. If a higher-security inside host pings a DMZ server, the server’s echo-replies will be allowed back into the inside network when this ACL is applied.

Real-world note: DMZ rules are commonly stricter; instead of any any you would normally permit only DMZ server IPs and specific reply types.

Verify:

ASA-FW# show access-list DMZ_IN
access-list DMZ_IN; 1 elements
access-list DMZ_IN line 1 extended permit icmp any any echo-reply


<div class="topology-diagram">
<img src="data:image/svg+xml;base64,PD9wbGFudHVtbCAxLjIwMjYuMT8+PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIiBjb250ZW50U3R5bGVUeXBlPSJ0ZXh0L2NzcyIgZGF0YS1kaWFncmFtLXR5cGU9Ik5XRElBRyIgaGVpZ2h0PSI0MzhweCIgcHJlc2VydmVBc3BlY3RSYXRpbz0ibm9uZSIgc3R5bGU9IndpZHRoOjMzOXB4O2hlaWdodDo0MzhweDtiYWNrZ3JvdW5kOiNGRkZGRkY7IiB2ZXJzaW9uPSIxLjEiIHZpZXdCb3g9IjAgMCAzMzkgNDM4IiB3aWR0aD0iMzM5cHgiIHpvb21BbmRQYW49Im1hZ25pZnkiPjxkZWZzLz48Zz48dGV4dCBmaWxsPSIjMDAwMDAwIiBmb250LWZhbWlseT0ic2Fucy1zZXJpZiIgZm9udC1zaXplPSIxMiIgbGVuZ3RoQWRqdXN0PSJzcGFjaW5nIiB0ZXh0TGVuZ3RoPSI2NS42MDE2IiB4PSIzOC44NjcyIiB5PSIxNi4xMzg3Ij5JbnNpZGVfTEFOPC90ZXh0Pjx0ZXh0IGZpbGw9IiMwMDAwMDAiIGZvbnQtZmFtaWx5PSJzYW5zLXNlcmlmIiBmb250LXNpemU9IjEyIiBsZW5ndGhBZGp1c3Q9InNwYWNpbmciIHRleHRMZW5ndGg9Ijk5LjQ2ODgiIHg9IjUiIHk9IjMwLjEwNzQiPjE5Mi4xNjguNzUuMC8yNDwvdGV4dD48dGV4dCBmaWxsPSIjMDAwMDAwIiBmb250LWZhbWlseT0ic2Fucy1zZXJpZiIgZm9udC1zaXplPSIxMiIgbGVuZ3RoQWRqdXN0PSJzcGFjaW5nIiB0ZXh0TGVuZ3RoPSIyNy44MTQ1IiB4PSI3Ni42NTQzIiB5PSIxNzEuMzI2MiI+RE1aPC90ZXh0Pjx0ZXh0IGZpbGw9IiMwMDAwMDAiIGZvbnQtZmFtaWx5PSJzYW5zLXNlcmlmIiBmb250LXNpemU9IjEyIiBsZW5ndGhBZGp1c3Q9InNwYWNpbmciIHRleHRMZW5ndGg9Ijk5LjQ2ODgiIHg9IjUiIHk9IjE4NS4yOTQ5Ij4xOTIuMTY4Ljc2LjAvMjQ8L3RleHQ+PHRleHQgZmlsbD0iIzAwMDAwMCIgZm9udC1mYW1pbHk9InNhbnMtc2VyaWYiIGZvbnQtc2l6ZT0iMTIiIGxlbmd0aEFkanVzdD0ic3BhY2luZyIgdGV4dExlbmd0aD0iNDcuODU5NCIgeD0iNTYuNjA5NCIgeT0iMzAwLjkwNDMiPkludGVybmV0PC90ZXh0Pjx0ZXh0IGZpbGw9IiMwMDAwMDAiIGZvbnQtZmFtaWx5PSJzYW5zLXNlcmlmIiBmb250LXNpemU9IjEyIiBsZW5ndGhBZGp1c3Q9InNwYWNpbmciIHRleHRMZW5ndGg9Ijk5LjQ2ODgiIHg9IjUiIHk9IjMxNC44NzMiPjE5Mi4xNjguNzcuMC8yNDwvdGV4dD48cmVjdCBmaWxsPSIjRTJFMkYwIiBoZWlnaHQ9IjUiIHN0eWxlPSJzdHJva2U6IzE4MTgxODtzdHJva2Utd2lkdGg6MTsiIHdpZHRoPSIyMjIuMzExIiB4PSIxMDkuNDY4OCIgeT0iMTYuNDY4OCIvPjxyZWN0IGZpbGw9IiNFMkUyRjAiIGhlaWdodD0iNSIgc3R5bGU9InN0cm9rZTojMTgxODE4O3N0cm9rZS13aWR0aDoxOyIgd2lkdGg9IjIyMi4zMTEiIHg9IjEwOS40Njg4IiB5PSIxNzEuNjU2MyIvPjxyZWN0IGZpbGw9IiNFMkUyRjAiIGhlaWdodD0iNSIgc3R5bGU9InN0cm9rZTojMTgxODE4O3N0cm9rZS13aWR0aDoxOyIgd2lkdGg9IjIyMi4zMTEiIHg9IjEwOS40Njg4IiB5PSIzMDEuMjM0NCIvPjxwYXRoIGQ9Ik0xNzIuMzg2NywyMS40Njg4IEwxNzIuMzg2Nyw3Ny4wNzgxIiBmaWxsPSJub25lIiBzdHlsZT0ic3Ryb2tlOiMxODE4MTg7c3Ryb2tlLXdpZHRoOjE7Ii8+PHRleHQgZmlsbD0iIzAwMDAwMCIgZm9udC1mYW1pbHk9InNhbnMtc2VyaWYiIGZvbnQtc2l6ZT0iMTEiIGxlbmd0aEFkanVzdD0ic3BhY2luZyIgdGV4dExlbmd0aD0iODAuNDc1MSIgeD0iMTMyLjE0OTIiIHk9IjQ0LjE3OTIiPjE5Mi4xNjguNzUuMzk8L3RleHQ+PHRleHQgZmlsbD0iIzAwMDAwMCIgZm9udC1mYW1pbHk9InNhbnMtc2VyaWYiIGZvbnQtc2l6ZT0iMTEiIGxlbmd0aEFkanVzdD0ic3BhY2luZyIgdGV4dExlbmd0aD0iMjkuMjgzMiIgeD0iMTMyLjE0OTIiIHk9IjU2Ljk4MzkiPkdpMC8wPC90ZXh0PjxwYXRoIGQ9Ik0yODMuNTQyMiwyMS40Njg4IEwyODMuNTQyMiw3Ny4wNzgxIiBmaWxsPSJub25lIiBzdHlsZT0ic3Ryb2tlOiMxODE4MTg7c3Ryb2tlLXdpZHRoOjE7Ii8+PHRleHQgZmlsbD0iIzAwMDAwMCIgZm9udC1mYW1pbHk9InNhbnMtc2VyaWYiIGZvbnQtc2l6ZT0iMTEiIGxlbmd0aEFkanVzdD0ic3BhY2luZyIgdGV4dExlbmd0aD0iODAuNDc1MSIgeD0iMjQzLjMwNDciIHk9IjQ0LjE3OTIiPjE5Mi4xNjguNzUuMTQ8L3RleHQ+PHRleHQgZmlsbD0iIzAwMDAwMCIgZm9udC1mYW1pbHk9InNhbnMtc2VyaWYiIGZvbnQtc2l6ZT0iMTEiIGxlbmd0aEFkanVzdD0ic3BhY2luZyIgdGV4dExlbmd0aD0iMTEuNDcyNyIgeD0iMjQzLjMwNDciIHk9IjU2Ljk4MzkiPklOPC90ZXh0PjxwYXRoIGQ9Ik0yNzkuMDQyMiwxMTEuMDQ2OSBMMjc5LjA0MjIsMTcxLjY1NjMiIGZpbGw9Im5vbmUiIHN0eWxlPSJzdHJva2U6IzE4MTgxODtzdHJva2Utd2lkdGg6MTsiLz48dGV4dCBmaWxsPSIjMDAwMDAwIiBmb250LWZhbWlseT0ic2Fucy1zZXJpZiIgZm9udC1zaXplPSIxMSIgbGVuZ3RoQWRqdXN0PSJzcGFjaW5nIiB0ZXh0TGVuZ3RoPSI3My40NzY2IiB4PSIyMDUuNTY1NyIgeT0iMTM4Ljc1NzMiPjE5Mi4xNjguNzYuMTwvdGV4dD48dGV4dCBmaWxsPSIjMDAwMDAwIiBmb250LWZhbWlseT0ic2Fucy1zZXJpZiIgZm9udC1zaXplPSIxMSIgbGVuZ3RoQWRqdXN0PSJzcGFjaW5nIiB0ZXh0TGVuZ3RoPSIyNS40OTY2IiB4PSIyMDUuNTY1NyIgeT0iMTUxLjU2MiI+RE1aPC90ZXh0PjxwYXRoIGQ9Ik0yODQuMDQyMiwxMTEuMDQ2OSBMMjg0LjA0MjIsMTY4LjY1NjMgQTQsNCAwIDAgMSAyODQuMDQyMiwxODAuNjU2MyBMMjg0LjA0MjIsMzAxLjIzNDQiIGZpbGw9Im5vbmUiIHN0eWxlPSJzdHJva2U6IzE4MTgxODtzdHJva2Utd2lkdGg6MTsiLz48dGV4dCBmaWxsPSIjMDAwMDAwIiBmb250LWZhbWlseT0ic2Fucy1zZXJpZiIgZm9udC1zaXplPSIxMSIgbGVuZ3RoQWRqdXN0PSJzcGFjaW5nIiB0ZXh0TGVuZ3RoPSI4MC40NzUxIiB4PSIyNDMuODA0NyIgeT0iMjY4LjMzNTQiPjE5Mi4xNjguNzcuMjM8L3RleHQ+PHRleHQgZmlsbD0iIzAwMDAwMCIgZm9udC1mYW1pbHk9InNhbnMtc2VyaWYiIGZvbnQtc2l6ZT0iMTEiIGxlbmd0aEFkanVzdD0ic3BhY2luZyIgdGV4dExlbmd0aD0iMjMuNDI4NyIgeD0iMjQzLjgwNDciIHk9IjI4MS4xNDAxIj5PVVQ8L3RleHQ+PHBhdGggZD0iTTE2OC4zODY3LDE3Ni42NTYzIEwxNjguMzg2NywyMTkuNDYwOSIgZmlsbD0ibm9uZSIgc3R5bGU9InN0cm9rZTojMTgxODE4O3N0cm9rZS13aWR0aDoxOyIvPjx0ZXh0IGZpbGw9IiMwMDAwMDAiIGZvbnQtZmFtaWx5PSJzYW5zLXNlcmlmIiBmb250LXNpemU9IjExIiBsZW5ndGhBZGp1c3Q9InNwYWNpbmciIHRleHRMZW5ndGg9IjgwLjQ3NTEiIHg9IjEyOC4xNDkyIiB5PSIxOTIuOTY0NCI+MTkyLjE2OC43Ni4xNDwvdGV4dD48dGV4dCBmaWxsPSIjMDAwMDAwIiBmb250LWZhbWlseT0ic2Fucy1zZXJpZiIgZm9udC1zaXplPSIxMSIgbGVuZ3RoQWRqdXN0PSJzcGFjaW5nIiB0ZXh0TGVuZ3RoPSIyNS4wNTA4IiB4PSIxMjguMTQ5MiIgeT0iMjA1Ljc2OSI+ZXRoMDwvdGV4dD48cGF0aCBkPSJNMTcyLjM4NjcsMzA2LjIzNDQgTDE3Mi4zODY3LDM0OS4wMzkxIiBmaWxsPSJub25lIiBzdHlsZT0ic3Ryb2tlOiMxODE4MTg7c3Ryb2tlLXdpZHRoOjE7Ii8+PHRleHQgZmlsbD0iIzAwMDAwMCIgZm9udC1mYW1pbHk9InNhbnMtc2VyaWYiIGZvbnQtc2l6ZT0iMTEiIGxlbmd0aEFkanVzdD0ic3BhY2luZyIgdGV4dExlbmd0aD0iODAuNDc1MSIgeD0iMTMyLjE0OTIiIHk9IjMyMi41NDI1Ij4xOTIuMTY4Ljc3LjQwPC90ZXh0Pjx0ZXh0IGZpbGw9IiMwMDAwMDAiIGZvbnQtZmFtaWx5PSJzYW5zLXNlcmlmIiBmb250LXNpemU9IjExIiBsZW5ndGhBZGp1c3Q9InNwYWNpbmciIHRleHRMZW5ndGg9IjE2LjQ3ODUiIHg9IjEzMi4xNDkyIiB5PSIzMzUuMzQ3MiI+UnRyPC90ZXh0PjxyZWN0IGZpbGw9IiNGMUYxRjEiIGhlaWdodD0iMzMuOTY4OCIgc3R5bGU9InN0cm9rZTojMTgxODE4O3N0cm9rZS13aWR0aDowLjU7IiB3aWR0aD0iNDMuMjUiIHg9IjE0OC43NjE3IiB5PSI3Ny4wNzgxIi8+PHRleHQgZmlsbD0iIzAwMDAwMCIgZm9udC1mYW1pbHk9InNhbnMtc2VyaWYiIGZvbnQtc2l6ZT0iMTIiIGxlbmd0aEFkanVzdD0ic3BhY2luZyIgdGV4dExlbmd0aD0iMjMuMjUiIHg9IjE1OC43NjE3IiB5PSI5OC4yMTY4Ij5QQzE8L3RleHQ+PHJlY3QgZmlsbD0iI0YxRjFGMSIgaGVpZ2h0PSIzMy45Njg4IiBzdHlsZT0ic3Ryb2tlOiMxODE4MTg7c3Ryb2tlLXdpZHRoOjAuNTsiIHdpZHRoPSI2OC44MDI3IiB4PSIyNDcuMTQwOSIgeT0iNzcuMDc4MSIvPjx0ZXh0IGZpbGw9IiMwMDAwMDAiIGZvbnQtZmFtaWx5PSJzYW5zLXNlcmlmIiBmb250LXNpemU9IjEyIiBsZW5ndGhBZGp1c3Q9InNwYWNpbmciIHRleHRMZW5ndGg9IjQ4LjgwMjciIHg9IjI1Ny4xNDA5IiB5PSI5OC4yMTY4Ij5BU0FfRlc8L3RleHQ+PHJlY3QgZmlsbD0iI0YxRjFGMSIgaGVpZ2h0PSIzMy45Njg4IiBzdHlsZT0ic3Ryb2tlOiMxODE4MTg7c3Ryb2tlLXdpZHRoOjAuNTsiIHdpZHRoPSI3Ny45Nzg1IiB4PSIxMzEuMzk3NSIgeT0iMjE5LjQ2MDkiLz48dGV4dCBmaWxsPSIjMDAwMDAwIiBmb250LWZhbWlseT0ic2Fucy1zZXJpZiIgZm9udC1zaXplPSIxMiIgbGVuZ3RoQWRqdXN0PSJzcGFjaW5nIiB0ZXh0TGVuZ3RoPSI1Ny45Nzg1IiB4PSIxNDEuMzk3NSIgeT0iMjQwLjU5OTYiPkRNWl9TUlY8L3RleHQ+PHJlY3QgZmlsbD0iI0YxRjFGMSIgaGVpZ2h0PSIzMy45Njg4IiBzdHlsZT0ic3Ryb2tlOiMxODE4MTg7c3Ryb2tlLXdpZHRoOjAuNTsiIHdpZHRoPSI5MS44MzU5IiB4PSIxMjQuNDY4OCIgeT0iMzQ5LjAzOTEiLz48dGV4dCBmaWxsPSIjMDAwMDAwIiBmb250LWZhbWlseT0ic2Fucy1zZXJpZiIgZm9udC1zaXplPSIxMiIgbGVuZ3RoQWRqdXN0PSJzcGFjaW5nIiB0ZXh0TGVuZ3RoPSI3MS44MzU5IiB4PSIxMzQuNDY4OCIgeT0iMzcwLjE3NzciPkludGVybmV0X1J0cjwvdGV4dD48P3BsYW50dW1sLXNyYyBvb2pGb0tuQ0x3WmNLYjM4SW9xZnBvX0FMbDNDQXl2Q0lPdHRTVkczMm9pZTlBUWE1QUtNNW9sT0FZV1BNWGhmNlBmUHc5Y1J3WGRlNnZhZVdVSzNkMHFMZWg0aENoUUNvTkZGREQwdEs4Z3IxZ2pyMzdRQ1RtbDdmVHBHOTJSRnFtLVlqWFI5SUl3LUtOWlNPZVJhNWRwY2MtYVBua0cxWk9BdjFTWUMzbXVBbXdhT3c5WkthV20zSkVUdXZmTWE1VzR2VURuYUpnSVJwRk1DWjZGb180RDNPOHcyY0hxVkw1QTRJdWs5R0ttVUsxaGNpNWUwPz48L2c+PC9zdmc+" alt="Network Topology Diagram" style="max-width:100%;height:auto;background:#fff;padding:16px;border:1px solid #e5e7eb;border-radius:8px;" />
</div>

cisco
ASA-FW# configure terminal
ASA-FW(config)# access-group OUTSIDE_IN in interface OUT
ASA-FW(config)# access-group DMZ_IN in interface DMZ
ASA-FW(config)# exit

What just happened: access-group attaches the named ACLs to the physical interface and enforcement direction (inbound). Now, inbound packets arriving on the OUT interface are checked against OUTSIDE_IN, and inbound packets on DMZ are checked against DMZ_IN. Any packet that matches echo-reply will be permitted through; packets that don't match will be subject to the ASA default policy (deny).

Real-world note: Applying an ACL inbound on a lower-security interface is a typical pattern to allow replies for stateless protocols while keeping default deny in place for traffic from outside.

Verify:

ASA-FW# show running-config access-group
access-group OUTSIDE_IN in interface OUT
access-group DMZ_IN in interface DMZ


<div class="topology-diagram">
<img src="data:image/svg+xml;base64,PD9wbGFudHVtbCAxLjIwMjYuMT8+PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIiBjb250ZW50U3R5bGVUeXBlPSJ0ZXh0L2NzcyIgZGF0YS1kaWFncmFtLXR5cGU9Ik5XRElBRyIgaGVpZ2h0PSI0MzhweCIgcHJlc2VydmVBc3BlY3RSYXRpbz0ibm9uZSIgc3R5bGU9IndpZHRoOjMzOXB4O2hlaWdodDo0MzhweDtiYWNrZ3JvdW5kOiNGRkZGRkY7IiB2ZXJzaW9uPSIxLjEiIHZpZXdCb3g9IjAgMCAzMzkgNDM4IiB3aWR0aD0iMzM5cHgiIHpvb21BbmRQYW49Im1hZ25pZnkiPjxkZWZzLz48Zz48dGV4dCBmaWxsPSIjMDAwMDAwIiBmb250LWZhbWlseT0ic2Fucy1zZXJpZiIgZm9udC1zaXplPSIxMiIgbGVuZ3RoQWRqdXN0PSJzcGFjaW5nIiB0ZXh0TGVuZ3RoPSI2NS42MDE2IiB4PSIzOC44NjcyIiB5PSIxNi4xMzg3Ij5JbnNpZGVfTEFOPC90ZXh0Pjx0ZXh0IGZpbGw9IiMwMDAwMDAiIGZvbnQtZmFtaWx5PSJzYW5zLXNlcmlmIiBmb250LXNpemU9IjEyIiBsZW5ndGhBZGp1c3Q9InNwYWNpbmciIHRleHRMZW5ndGg9Ijk5LjQ2ODgiIHg9IjUiIHk9IjMwLjEwNzQiPjE5Mi4xNjguNzUuMC8yNDwvdGV4dD48dGV4dCBmaWxsPSIjMDAwMDAwIiBmb250LWZhbWlseT0ic2Fucy1zZXJpZiIgZm9udC1zaXplPSIxMiIgbGVuZ3RoQWRqdXN0PSJzcGFjaW5nIiB0ZXh0TGVuZ3RoPSIyNy44MTQ1IiB4PSI3Ni42NTQzIiB5PSIxNzEuMzI2MiI+RE1aPC90ZXh0Pjx0ZXh0IGZpbGw9IiMwMDAwMDAiIGZvbnQtZmFtaWx5PSJzYW5zLXNlcmlmIiBmb250LXNpemU9IjEyIiBsZW5ndGhBZGp1c3Q9InNwYWNpbmciIHRleHRMZW5ndGg9Ijk5LjQ2ODgiIHg9IjUiIHk9IjE4NS4yOTQ5Ij4xOTIuMTY4Ljc2LjAvMjQ8L3RleHQ+PHRleHQgZmlsbD0iIzAwMDAwMCIgZm9udC1mYW1pbHk9InNhbnMtc2VyaWYiIGZvbnQtc2l6ZT0iMTIiIGxlbmd0aEFkanVzdD0ic3BhY2luZyIgdGV4dExlbmd0aD0iNDcuODU5NCIgeD0iNTYuNjA5NCIgeT0iMzAwLjkwNDMiPkludGVybmV0PC90ZXh0Pjx0ZXh0IGZpbGw9IiMwMDAwMDAiIGZvbnQtZmFtaWx5PSJzYW5zLXNlcmlmIiBmb250LXNpemU9IjEyIiBsZW5ndGhBZGp1c3Q9InNwYWNpbmciIHRleHRMZW5ndGg9Ijk5LjQ2ODgiIHg9IjUiIHk9IjMxNC44NzMiPjE5Mi4xNjguNzcuMC8yNDwvdGV4dD48cmVjdCBmaWxsPSIjRTJFMkYwIiBoZWlnaHQ9IjUiIHN0eWxlPSJzdHJva2U6IzE4MTgxODtzdHJva2Utd2lkdGg6MTsiIHdpZHRoPSIyMjIuMzExIiB4PSIxMDkuNDY4OCIgeT0iMTYuNDY4OCIvPjxyZWN0IGZpbGw9IiNFMkUyRjAiIGhlaWdodD0iNSIgc3R5bGU9InN0cm9rZTojMTgxODE4O3N0cm9rZS13aWR0aDoxOyIgd2lkdGg9IjIyMi4zMTEiIHg9IjEwOS40Njg4IiB5PSIxNzEuNjU2MyIvPjxyZWN0IGZpbGw9IiNFMkUyRjAiIGhlaWdodD0iNSIgc3R5bGU9InN0cm9rZTojMTgxODE4O3N0cm9rZS13aWR0aDoxOyIgd2lkdGg9IjIyMi4zMTEiIHg9IjEwOS40Njg4IiB5PSIzMDEuMjM0NCIvPjxwYXRoIGQ9Ik0xNzIuMzg2NywyMS40Njg4IEwxNzIuMzg2Nyw3Ny4wNzgxIiBmaWxsPSJub25lIiBzdHlsZT0ic3Ryb2tlOiMxODE4MTg7c3Ryb2tlLXdpZHRoOjE7Ii8+PHRleHQgZmlsbD0iIzAwMDAwMCIgZm9udC1mYW1pbHk9InNhbnMtc2VyaWYiIGZvbnQtc2l6ZT0iMTEiIGxlbmd0aEFkanVzdD0ic3BhY2luZyIgdGV4dExlbmd0aD0iODAuNDc1MSIgeD0iMTMyLjE0OTIiIHk9IjQ0LjE3OTIiPjE5Mi4xNjguNzUuMzk8L3RleHQ+PHRleHQgZmlsbD0iIzAwMDAwMCIgZm9udC1mYW1pbHk9InNhbnMtc2VyaWYiIGZvbnQtc2l6ZT0iMTEiIGxlbmd0aEFkanVzdD0ic3BhY2luZyIgdGV4dExlbmd0aD0iMjkuMjgzMiIgeD0iMTMyLjE0OTIiIHk9IjU2Ljk4MzkiPkdpMC8wPC90ZXh0PjxwYXRoIGQ9Ik0yODMuNTQyMiwyMS40Njg4IEwyODMuNTQyMiw3Ny4wNzgxIiBmaWxsPSJub25lIiBzdHlsZT0ic3Ryb2tlOiMxODE4MTg7c3Ryb2tlLXdpZHRoOjE7Ii8+PHRleHQgZmlsbD0iIzAwMDAwMCIgZm9udC1mYW1pbHk9InNhbnMtc2VyaWYiIGZvbnQtc2l6ZT0iMTEiIGxlbmd0aEFkanVzdD0ic3BhY2luZyIgdGV4dExlbmd0aD0iODAuNDc1MSIgeD0iMjQzLjMwNDciIHk9IjQ0LjE3OTIiPjE5Mi4xNjguNzUuMTQ8L3RleHQ+PHRleHQgZmlsbD0iIzAwMDAwMCIgZm9udC1mYW1pbHk9InNhbnMtc2VyaWYiIGZvbnQtc2l6ZT0iMTEiIGxlbmd0aEFkanVzdD0ic3BhY2luZyIgdGV4dExlbmd0aD0iMTEuNDcyNyIgeD0iMjQzLjMwNDciIHk9IjU2Ljk4MzkiPklOPC90ZXh0PjxwYXRoIGQ9Ik0yNzkuMDQyMiwxMTEuMDQ2OSBMMjc5LjA0MjIsMTcxLjY1NjMiIGZpbGw9Im5vbmUiIHN0eWxlPSJzdHJva2U6IzE4MTgxODtzdHJva2Utd2lkdGg6MTsiLz48dGV4dCBmaWxsPSIjMDAwMDAwIiBmb250LWZhbWlseT0ic2Fucy1zZXJpZiIgZm9udC1zaXplPSIxMSIgbGVuZ3RoQWRqdXN0PSJzcGFjaW5nIiB0ZXh0TGVuZ3RoPSI3My40NzY2IiB4PSIyMDUuNTY1NyIgeT0iMTM4Ljc1NzMiPjE5Mi4xNjguNzYuMTwvdGV4dD48dGV4dCBmaWxsPSIjMDAwMDAwIiBmb250LWZhbWlseT0ic2Fucy1zZXJpZiIgZm9udC1zaXplPSIxMSIgbGVuZ3RoQWRqdXN0PSJzcGFjaW5nIiB0ZXh0TGVuZ3RoPSIyNS40OTY2IiB4PSIyMDUuNTY1NyIgeT0iMTUxLjU2MiI+RE1aPC90ZXh0PjxwYXRoIGQ9Ik0yODQuMDQyMiwxMTEuMDQ2OSBMMjg0LjA0MjIsMTY4LjY1NjMgQTQsNCAwIDAgMSAyODQuMDQyMiwxODAuNjU2MyBMMjg0LjA0MjIsMzAxLjIzNDQiIGZpbGw9Im5vbmUiIHN0eWxlPSJzdHJva2U6IzE4MTgxODtzdHJva2Utd2lkdGg6MTsiLz48dGV4dCBmaWxsPSIjMDAwMDAwIiBmb250LWZhbWlseT0ic2Fucy1zZXJpZiIgZm9udC1zaXplPSIxMSIgbGVuZ3RoQWRqdXN0PSJzcGFjaW5nIiB0ZXh0TGVuZ3RoPSI4MC40NzUxIiB4PSIyNDMuODA0NyIgeT0iMjY4LjMzNTQiPjE5Mi4xNjguNzcuMjM8L3RleHQ+PHRleHQgZmlsbD0iIzAwMDAwMCIgZm9udC1mYW1pbHk9InNhbnMtc2VyaWYiIGZvbnQtc2l6ZT0iMTEiIGxlbmd0aEFkanVzdD0ic3BhY2luZyIgdGV4dExlbmd0aD0iMjMuNDI4NyIgeD0iMjQzLjgwNDciIHk9IjI4MS4xNDAxIj5PVVQ8L3RleHQ+PHBhdGggZD0iTTE2OC4zODY3LDE3Ni42NTYzIEwxNjguMzg2NywyMTkuNDYwOSIgZmlsbD0ibm9uZSIgc3R5bGU9InN0cm9rZTojMTgxODE4O3N0cm9rZS13aWR0aDoxOyIvPjx0ZXh0IGZpbGw9IiMwMDAwMDAiIGZvbnQtZmFtaWx5PSJzYW5zLXNlcmlmIiBmb250LXNpemU9IjExIiBsZW5ndGhBZGp1c3Q9InNwYWNpbmciIHRleHRMZW5ndGg9IjgwLjQ3NTEiIHg9IjEyOC4xNDkyIiB5PSIxOTIuOTY0NCI+MTkyLjE2OC43Ni4xNDwvdGV4dD48dGV4dCBmaWxsPSIjMDAwMDAwIiBmb250LWZhbWlseT0ic2Fucy1zZXJpZiIgZm9udC1zaXplPSIxMSIgbGVuZ3RoQWRqdXN0PSJzcGFjaW5nIiB0ZXh0TGVuZ3RoPSIyNS4wNTA4IiB4PSIxMjguMTQ5MiIgeT0iMjA1Ljc2OSI+ZXRoMDwvdGV4dD48cGF0aCBkPSJNMTcyLjM4NjcsMzA2LjIzNDQgTDE3Mi4zODY3LDM0OS4wMzkxIiBmaWxsPSJub25lIiBzdHlsZT0ic3Ryb2tlOiMxODE4MTg7c3Ryb2tlLXdpZHRoOjE7Ii8+PHRleHQgZmlsbD0iIzAwMDAwMCIgZm9udC1mYW1pbHk9InNhbnMtc2VyaWYiIGZvbnQtc2l6ZT0iMTEiIGxlbmd0aEFkanVzdD0ic3BhY2luZyIgdGV4dExlbmd0aD0iODAuNDc1MSIgeD0iMTMyLjE0OTIiIHk9IjMyMi41NDI1Ij4xOTIuMTY4Ljc3LjQwPC90ZXh0Pjx0ZXh0IGZpbGw9IiMwMDAwMDAiIGZvbnQtZmFtaWx5PSJzYW5zLXNlcmlmIiBmb250LXNpemU9IjExIiBsZW5ndGhBZGp1c3Q9InNwYWNpbmciIHRleHRMZW5ndGg9IjE2LjQ3ODUiIHg9IjEzMi4xNDkyIiB5PSIzMzUuMzQ3MiI+UnRyPC90ZXh0PjxyZWN0IGZpbGw9IiNGMUYxRjEiIGhlaWdodD0iMzMuOTY4OCIgc3R5bGU9InN0cm9rZTojMTgxODE4O3N0cm9rZS13aWR0aDowLjU7IiB3aWR0aD0iNDMuMjUiIHg9IjE0OC43NjE3IiB5PSI3Ny4wNzgxIi8+PHRleHQgZmlsbD0iIzAwMDAwMCIgZm9udC1mYW1pbHk9InNhbnMtc2VyaWYiIGZvbnQtc2l6ZT0iMTIiIGxlbmd0aEFkanVzdD0ic3BhY2luZyIgdGV4dExlbmd0aD0iMjMuMjUiIHg9IjE1OC43NjE3IiB5PSI5OC4yMTY4Ij5QQzE8L3RleHQ+PHJlY3QgZmlsbD0iI0YxRjFGMSIgaGVpZ2h0PSIzMy45Njg4IiBzdHlsZT0ic3Ryb2tlOiMxODE4MTg7c3Ryb2tlLXdpZHRoOjAuNTsiIHdpZHRoPSI2OC44MDI3IiB4PSIyNDcuMTQwOSIgeT0iNzcuMDc4MSIvPjx0ZXh0IGZpbGw9IiMwMDAwMDAiIGZvbnQtZmFtaWx5PSJzYW5zLXNlcmlmIiBmb250LXNpemU9IjEyIiBsZW5ndGhBZGp1c3Q9InNwYWNpbmciIHRleHRMZW5ndGg9IjQ4LjgwMjciIHg9IjI1Ny4xNDA5IiB5PSI5OC4yMTY4Ij5BU0FfRlc8L3RleHQ+PHJlY3QgZmlsbD0iI0YxRjFGMSIgaGVpZ2h0PSIzMy45Njg4IiBzdHlsZT0ic3Ryb2tlOiMxODE4MTg7c3Ryb2tlLXdpZHRoOjAuNTsiIHdpZHRoPSI3Ny45Nzg1IiB4PSIxMzEuMzk3NSIgeT0iMjE5LjQ2MDkiLz48dGV4dCBmaWxsPSIjMDAwMDAwIiBmb250LWZhbWlseT0ic2Fucy1zZXJpZiIgZm9udC1zaXplPSIxMiIgbGVuZ3RoQWRqdXN0PSJzcGFjaW5nIiB0ZXh0TGVuZ3RoPSI1Ny45Nzg1IiB4PSIxNDEuMzk3NSIgeT0iMjQwLjU5OTYiPkRNWl9TUlY8L3RleHQ+PHJlY3QgZmlsbD0iI0YxRjFGMSIgaGVpZ2h0PSIzMy45Njg4IiBzdHlsZT0ic3Ryb2tlOiMxODE4MTg7c3Ryb2tlLXdpZHRoOjAuNTsiIHdpZHRoPSI5MS44MzU5IiB4PSIxMjQuNDY4OCIgeT0iMzQ5LjAzOTEiLz48dGV4dCBmaWxsPSIjMDAwMDAwIiBmb250LWZhbWlseT0ic2Fucy1zZXJpZiIgZm9udC1zaXplPSIxMiIgbGVuZ3RoQWRqdXN0PSJzcGFjaW5nIiB0ZXh0TGVuZ3RoPSI3MS44MzU5IiB4PSIxMzQuNDY4OCIgeT0iMzcwLjE3NzciPkludGVybmV0X1J0cjwvdGV4dD48P3BsYW50dW1sLXNyYyBvb2pGb0tuQ0x3WmNLYjM4SW9xZnBvX0FMbDNDQXl2Q0lPdHRTVkczMm9pZTlBUWE1QUtNNW9sT0FZV1BNWGhmNlBmUHc5Y1J3WGRlNnZhZVdVSzNkMHFMZWg0aENoUUNvTkZGREQwdEs4Z3IxZ2pyMzdRQ1RtbDdmVHBHOTJSRnFtLVlqWFI5SUl3LUtOWlNPZVJhNWRwY2MtYVBua0cxWk9BdjFTWUMzbXVBbXdhT3c5WkthV20zSkVUdXZmTWE1VzR2VURuYUpnSVJwRk1DWjZGb180RDNPOHcyY0hxVkw1QTRJdWs5R0ttVUsxaGNpNWUwPz48L2c+PC9zdmc+" alt="Network Topology Diagram" style="max-width:100%;height:auto;background:#fff;padding:16px;border:1px solid #e5e7eb;border-radius:8px;" />
</div>

cisco
R1# ping 2.2.2.2 source 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1 !!!!! 
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms

What just happened: The ping was sourced from 1.1.1.1 (R1’s loopback) and the firewall allowed the echo-replies back in through the outside interface because of the OUTSIDE_IN ACL. The !!!!! indicates successful replies for all five probes.

Real-world note: If the ping fails despite ACLs, confirm NAT rules and routing; NAT or route asymmetry can prevent replies from returning to the firewall as expected.

Verify firewall logs and connection info:

ASA-FW# show logging | include connection
Jun 13 2022 13:32:49: %FTD-6-302021: Teardown ICMP connection for faddr192.168.76.14/0 gaddr192.168.75.14/0 laddr 192.168.75.14/0
Jun 13 2022 13:33:00: %FTD-6-302016: Teardown UDP connection 357875 for inside:192.168.75.14/60131 to dmz:192.168.76.14/53 duration 0:02:01 bytes 43

ASA-FW# show conn address 192.168.75.179
UDP outside 192.168.75.179:138 inside 192.168.75.255:138, idle 0:00:19, bytes 35306, flags -N
UDP outside 192.168.75.179:137 inside 192.168.75.255:137, idle 0:00:19, bytes 6350, flags -N

ASA-FW# show capture CAPI packet -number 3 trace 3
09:11:54.814395 192.168.75.39 > 192.168.77.40: icmp: echo request ..
Phase: 15 Type: ROUTE-LOOKUP Subtype: Resolve Egress Interface Result: ALLOW Config: Additional Information: found next-hop 192.168.77.40 using egress ifcoutside
09:11:54.814395 192.168.75.39 > 192.168.77.40: icmp: echo request ..
Phase: 16 Type: ADJACENCY-LOOKUP Subtype: next-hop and adjacency Result: ALLOW Config: Additional Information: adjacency Active next-hop mac address c84c.758d.4980 hits 140

ASA-FW# show arp inside
192.168.75.14 000c.2930.2b78 8 inside
192.168.75.12 000c.29d0.ebcf 1286 inside
192.168.75.39 0004.deab.681b 3923 inside
192.168.75.122 000c.29ec.80e1 12451 inside
192.168.76.14 000c.2998.3fec 55 dmz
192.168.76.1 c84c.758d.4981 3413 dmz
192.168.76.39 0004.deab.681a 3743 dmz
192.168.77.23 6c41.6aa1.2bf5 1305 outside
192.168.77.40 c84c.758d.4980 4613 outside

What just happened: The show logging lines show teardown events for ICMP and UDP connections, confirming the firewall tracked and terminated those flows. The capture output and ARP table validate routing and adjacency used when forwarding ICMP packets. show conn reveals active or recently active UDP sessions.

Verification Checklist

  • Check 1: Inside host (1.1.1.1) can successfully ping 2.2.2.2. Verify with the ping output showing 100% success as above.
  • Check 2: OUTSIDE_IN and DMZ_IN ACL entries exist and show permit icmp any any echo-reply. Verify with show access-list OUTSIDE_IN and show access-list DMZ_IN.
  • Check 3: ACLs are applied to the proper interfaces. Verify with show running-config access-group.
  • Check 4: Firewall logs include connection teardown messages for ICMP or UDP (confirm with show logging | include connection) and show capture confirms packets were processed.

Common Mistakes

SymptomCauseFix
Ping from inside initiator times out; no repliesNo inbound ACL allowing ICMP echo-reply on the lower-security interface (outside/dmz)Create access-list ... permit icmp any any echo-reply and access-group it to the interface
Ping fails intermittently or only one-directionalICMP is stateless, and dynamic inspection is not enabled; replies are blocked on returnPermit echo-reply via inbound ACL or enable global ICMP inspection (not covered here)
Firewall logs show "Deleting session [!Session was deleted because we hit a drop IPS rule...]"An intrusion signature (IPS) matched and blocklisted the flow before the AC policy could be logged/allowedReview intrusion policy and signature (GID=1, SID=408 example) and tune or disable the rule if false-positive
ACL applied but not working for specific hostsACL uses any but NAT or asymmetric routing sends replies elsewhereVerify NAT, routing, and adjacency with show arp, show interface, and show capture

Key Takeaways

  • On ASA, ICMP replies are not statefully tracked by default; you must explicitly permit echo-replies on the interface that receives them (commonly the lower-security interface).
  • Use access-list <name> permit icmp any any echo-reply plus access-group <name> in interface <IF> to allow inbound ICMP replies.
  • Intrusion (IPS) policies may inspect and drop flows before access control rules are evaluated — a drop at IPS will remove the session and can prevent an AC rule from ever seeing the packet.
  • Always verify with multiple commands: ping for functional test, show access-list and show running-config access-group for policy, and show logging, show conn, show capture, and show arp for troubleshooting packet flow and firewall decisions.

Final tip: In production, narrow ACLs to specific source/destination IPs and types, and routinely review IPS events to avoid blocking legitimate traffic. The ACL pattern shown here is foundational and appears frequently on exams and in real datacenter/firewall deployments.

Practice with Hands-On Labs

30 step-by-step labs for CCNA, CCNP Enterprise & Security