Firewall vs ACL — Determining Which is Blocking Traffic
Presenting Symptom
Users in the branch office cannot reach the internet, but can reach internal servers across the WAN link.
Network Context
The branch office has a Cisco 4321 ISR router (IOS XE 16.9) connected to an ASA 5506-X firewall (ASA 9.12) via GigabitEthernet0/0. The ASA connects to the ISP. The router has an ACL applied to its WAN interface (GigabitEthernet0/1) for security. The firewall has an access-list blocking certain traffic. The network is a small branch with about 50 users.
Diagnostic Steps
Check connectivity to the internet
ping 8.8.8.8 source GigabitEthernet0/0Success rate is 0 percent (0/5)
Ping fails, indicating traffic is being blocked somewhere between the router and the internet.
Check if the router's ACL is blocking traffic
show access-listsExtended IP access list OUTBOUND_ACL
10 permit ip 192.168.1.0 0.0.0.255 any
20 deny ip any any (4 matches)The ACL shows matches on the deny statement, meaning the router is blocking traffic. The source IP of the ping may not match the permit statement.
Check the firewall's access-list
show access-listaccess-list INSIDE extended permit ip 192.168.1.0 255.255.255.0 any access-list INSIDE extended deny ip any any (10 matches)
The firewall also has a deny statement with matches, indicating it is also blocking traffic. Both devices are blocking.
Determine which device is blocking first by checking the path
traceroute 8.8.8.81 192.168.1.1 (router) 1 ms 1 ms 1 ms 2 10.0.0.2 (firewall) 2 ms 2 ms 2 ms 3 * * *
The traceroute stops at the firewall, indicating the firewall is the device blocking the traffic after the router.
Root Cause
Both the router's ACL and the firewall's access-list are blocking traffic from the branch office to the internet. The router's ACL has a deny any statement that is matching traffic, and the firewall also has a deny any statement. The router's ACL is misconfigured because it denies all traffic except the permitted subnet, but the ping source might not be in that subnet. Additionally, the firewall's ACL is too restrictive.
Resolution
Verification
1. On router: show access-lists (should show no matches on deny) 2. On firewall: show access-list (should show no matches on deny) 3. Ping 8.8.8.8 from router: should succeed with 5/5 success.
Prevention
1. Use explicit permit statements for required traffic and avoid using 'deny any any' without careful consideration. 2. Implement logging on ACLs to monitor hits and review periodically. 3. Use a layered security approach with clear documentation of which device is responsible for which filtering.
CCNA Exam Relevance
On the CCNA 200-301 exam, this scenario tests troubleshooting skills for ACL and firewall filtering. Questions may present a similar symptom and ask to identify which device is blocking traffic using show commands. Candidates must understand how to interpret ACL hit counts and traceroute output to isolate the problem.
Exam Tips
Remember that ACLs are processed top-down; the first match is applied. Check the order of entries.
Use 'show access-lists' to see hit counts; a non-zero count on a deny entry indicates blocked traffic.
Traceroute can help identify where packets stop; if it stops at a router, the issue is likely there; if at a firewall, the firewall is blocking.
Commands Used in This Scenario
show access-lists
Displays all configured access control lists (ACLs) on the device, including their entries and match counters, used to verify ACL configuration and traffic filtering.
show running-config
Displays the current active configuration in DRAM, showing all non-default settings.
traceroute [ip]
Traces the route packets take from the source device to a destination IP address, showing each hop along the path, used to diagnose network path issues and latency.
Test Your CCNA Knowledge
Practice with scenario-based questions to prepare for the CCNA 200-301 exam.
Practice CCNA Questions