[Pankaj6in]

What is an ACL in a network?
An Access Control List (ACL) is a numbered or named, ordered set of rules applied on a network device (router, switch or firewall) that permits or denies packets based on header fields such as source/destination IP, protocol, ports and even ICMP type. ACLs are one of the simplest packet-filtering tools used to control traffic flowing into, out of, or through an interface. Each ACL entry (often called an ACE — access control entry) is evaluated in sequence; when a packet matches an ACE the corresponding action (permit or deny) is taken, and processing stops. If no ACE matches, most ACL implementations apply an implicit “deny all” at the end.
How ACLs actually work — short technical notes
• Stateless vs. stateful: Traditional ACLs (as on many routers) are stateless — they inspect each packet independently. Modern firewalls add session awareness (stateful) so return traffic for an allowed session is automatically permitted without a specific return rule.
• ACL order matters: the first matching rule wins. Place specific rules before generic ones. An implicit deny at the end blocks anything not explicitly permitted.
Can you make one-directional ping with an ACL? (A can ping B, but B cannot ping A)
Yes — you can achieve one-directional ICMP (ping) using ACLs, but you must understand how the device handles ICMP and sessions:
1. Stateless router ACLs — possible:
On a stateless router you can create rules that allow ICMP echo requests from A→B while denying echo requests from B→A. For example, on a Cisco router an extended ACL can permit IP protocol icmp with source A and destination B (or specific ICMP type 8 for echo request), and deny the reverse. Because the router treats ICMP echo request and reply as separate packets, carefully written ACEs let only the desired direction through. Example configurations and samples are well documented in Cisco’s ACL guides. Stateful firewalls — watch the session behavior:
Many modern firewalls (Palo Alto, ASA, Fortinet etc.) are session-aware. If you permit A to initiate ICMP to B, the firewall may automatically allow the ICMP echo-reply back to A as part of the session. To make one-way ping in a stateful firewall, you must either: (a) create application/ICMP-type specific rules that block incoming echo requests toward A while permitting outgoing requests from A; or (b) use asymmetric policies/zones combined with explicit deny rules for the reverse direction. Palo Alto’s docs recommend blocking ping specifically by ICMP type rather than blocking all ICMP because of diagnostic needs. Examples from different OEMs (short)
• Cisco (router ACLs): Use an extended IP ACL applied inbound/outbound on interfaces. Permit icmp host A host B echo (or permit icmp with src/dst) and deny the opposite. Cisco sample configs and reference guides show exact commands and common patterns.
• Juniper (Junos firewall filters): Junos uses “firewall-filters” which are functionally equivalent to ACLs. You define term(s) matching source/destination and protocol (icmp) and apply the filter on the interface (input/output). Junos examples demonstrate direction-specific filters for ICMP.
• Palo Alto Networks: Use security policies or create a custom application based on ICMP type to allow/deny echo-request (type 8) specifically. Because Palo Alto is stateful, carefully order policies and use ICMP-type filtering if you want asymmetry. Palo Alto knowledge base covers best practices.
Practical tips
• Test both directions with packet captures or debug to confirm behavior.
• Remember management/diagnostic ICMP is useful — avoid broadly blocking all ICMP unless you understand the impact.

Cisco Nexus 5000 CLI Configuration Guide (PDF)

ACL to Block/Allow Pings – Cisco Community

Juniper Firewall Filter Example

Palo Alto – Blocking ICMP with Security Policy

What Is an Access Control List (ACL)? – CBT Nuggets

Block ICMP Using Extended ACL – Linux Tiwary

Juniper – Permitted IP Configuration Example

Deploying Access Lists for the First Time – Auvik

Cisco – ACL Configuration Samples

ACL on Juniper JunOS – Traceroute Blog

How to Block ICMP Ping on Cisco Routers – ComputerNetworkingNotes

Palo Alto – ICMP and Security Profiles

Troubleshoot Failed Ping in Palo Alto Firewalls – Exam-Labs

Dealing with Bad Actors – Palo Alto

Access Control List Concepts – Pluralsight

Permit Ping and Traceroute, Deny All Else – Stack Exchange

Allow ICMP for All – Reddit PaloAltoNetworks

YouTube: ACL Configuration and ICMP Control

Cisco – ACLs and ACEs Overview

Cisco ASR 920 – ACL Configuration Guide

[Author]

Posts