https://community.cisco.com/t5/network-security/icmp-from-dmz/m-p/2460470#M270174 <HTML><HEAD></HEAD><BODY><P>Excellent thank you so much !</P></BODY></HTML> Thu, 06 Feb 2014 18:37:13 GMT gbudesheim 2014-02-06T18:37:13Z https://community.cisco.com/t5/network-security/icmp-from-dmz/m-p/2460466#M270170 <P>Hello,</P><P></P><P>Im trying to find the safest option (or alternative) to allow Icmp back into my network from the DMZ in order to troubleshoot. I know its incredibly unsafe to allow ICMP in case the DMZ gets compromised.&nbsp; Requirements need me to alow ICMP return traffic from the DMZ to an entire subnet.</P><P></P><P>here is what I have so far (I was thinking ICMP 11 would work)</P><P></P><P></P><P>access-list acl_outside extended permit icmp object-group DMZhosts object-group Internal-Network time-exceeded</P><P></P><P>all help is appreciated!</P><P></P><P>G</P> Tue, 12 Mar 2019 03:41:33 GMT https://community.cisco.com/t5/network-security/icmp-from-dmz/m-p/2460466#M270170 gbudesheim 2019-03-12T03:41:33Z https://community.cisco.com/t5/network-security/icmp-from-dmz/m-p/2460467#M270171 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Your ACL name would seem to refer to an external interface and not the a DMZ interface but naturally cant say for sure as dont know the configuration.</P><P></P><P>If your aim is to allow LAN networks to ICMP the DMZ and allow the return traffic then to my understanding ICMP Inspection should be enough to have this work and you would not need to allow anything from the DMZ as the ASA should automatically allow the ICMP Echo Reply messages back. You could also add ICMP Error inspection.</P><P></P><P>Typically you add these to your<STRONG> "policy-map"</STRONG> configuration that is by default attached globally on the ASA if you have not removed those configurations.</P><P></P><P>Then you would simply have to allow ICMP from the required LAN networks to the DMZ on the LAN interfaces ACL.</P><P></P><P>- Jouni</P></BODY></HTML> Thu, 06 Feb 2014 18:14:02 GMT https://community.cisco.com/t5/network-security/icmp-from-dmz/m-p/2460467#M270171 Jouni Forss 2014-02-06T18:14:02Z https://community.cisco.com/t5/network-security/icmp-from-dmz/m-p/2460468#M270172 <HTML><HEAD></HEAD><BODY><P>"access-list acl_dmz extended permit icmp object-group DMZhosts object-group Internal-Network time-exceeded" would work then assuming I just wanted to perform troubleshooting by running traceroutes from the internal networks.&nbsp;&nbsp; Another question I would have is how would I mitigate ICMP attacks if the DMZ was somehow compromised?</P></BODY></HTML> Thu, 06 Feb 2014 18:26:06 GMT https://community.cisco.com/t5/network-security/icmp-from-dmz/m-p/2460468#M270172 gbudesheim 2014-02-06T18:26:06Z https://community.cisco.com/t5/network-security/icmp-from-dmz/m-p/2460469#M270173 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>To my understanding if you just configure ICMP Inspection / ICMP Error Inspection you wont have to even allow ICMP from the DMZ to any network.</P><P></P><P>The ASA will keep track of the ICMP connections initiated from the LAN networks that you use for troubleshooting and allow the return messages through from the DMZ back to the LAN. </P><P></P><P>Your DMZ interface ACL would not have to allow any kind of ICMP through.</P><P></P><P>- Jouni</P></BODY></HTML> Thu, 06 Feb 2014 18:29:24 GMT https://community.cisco.com/t5/network-security/icmp-from-dmz/m-p/2460469#M270173 Jouni Forss 2014-02-06T18:29:24Z https://community.cisco.com/t5/network-security/icmp-from-dmz/m-p/2460470#M270174 <HTML><HEAD></HEAD><BODY><P>Excellent thank you so much !</P></BODY></HTML> Thu, 06 Feb 2014 18:37:13 GMT https://community.cisco.com/t5/network-security/icmp-from-dmz/m-p/2460470#M270174 gbudesheim 2014-02-06T18:37:13Z