topic Re: allow icmp dmz to inside in Network Security

allow icmp dmz to inside

tolinrome tolinrome — Tue, 12 Mar 2019 03:25:42 GMT

In asa version 9.x how can I allow icmp (ping) from hosts in the dmz to the inside interface?

Thanks.

allow icmp dmz to inside

Jouni Forss — Mon, 06 Jan 2014 20:32:51 GMT

Hi,

There should not be much that needs to be done.

Would be easier to see the actual firewall configuration to see the reason why it might not be working at the moment.

If I were to presume that you dont have any ACL configured on the "dmz" interface of the ASA and that the "dmz" interface of the ASA is of lower "security-level" than the "inside" interface then you would have to configure an ACL and attach it to the "dmz" interface to both allow traffic out to the Internet from the "dmz" and also allow traffic that you need (for example ICMP) to the "inside".

In your software level you would not really need any NAT configurations between the "dmz" and the "inside" like it was in the older software levels so I would imagine that should not be the case.

You could also add ICMP Inspection to your configurations unless they are already present.

You should be able to check current "policy-map" configurations on the ASA with the following command

show run policy-map

Usually there is the default "policy-map" configuration and its usually attached globally which you can check with the command

show run service-policy

You should be able to either enter the following commands under the "policy-map" configurations

inspect icmp

inspect icmp error

Or try to insert the following old format commands

fixup protocol icmp error

If there is still some problems would really need to look at the actual configurations and probably take some "packet-tracer" outputs

For example

packet-tracer input icmp 8 0

In some cases its also good to check the actual destination hosts since they might be blocking the ICMP and not the firewall.

Hope this helps

- Jouni

allow icmp dmz to inside

tolinrome tolinrome — Mon, 06 Jan 2014 21:16:09 GMT

Thanks for all that information but for now I just need to know how to simply create the acl in the cli to allow from the dmz to inside.

allow icmp dmz to inside

Jouni Forss — Mon, 06 Jan 2014 21:28:21 GMT

Hi,

Well there are still some things to consider.

If I were to create an ACL that simply only allows ICMP from the DMZ to the INSIDE then that would mean that all other traffic would be blocked and I don't know what other traffic should be allowed.

If I were to presume the following information to start with

INSIDE = 10.10.10.0/24
DMZ = 192.168.10.0/24
Allow ICMP traffic from DMZ->INSIDE but block all other traffic in this direction
Allow DMZ->OUTSIDE traffic
DMZ interface "nameif" is "dmz"

Then I would configure a simple ACL like this

access-list DMZ-IN remark Allow ICMP to INSIDE

access-list DMZ-IN permit icmp 192.168.10.0 255.255.255.0 10.10.10.0 255.255.255.0 echo

access-list DMZ-IN remark Block other traffic to INSIDE

access-list DMZ-IN deny ip 192.168.10.0 255.255.255.0 10.10.10.0 255.255.255.0

access-list DMZ-IN remark Allow all other outbound traffic to OUTSIDE

access-list DMZ-IN permit ip 192.168.10.0 255.255.255.0 any

access-group DMZ-IN in interface dmz

Hope this helps

Please do remember to mark a reply as the correct answer if it answered your question.

Feel free to ask more if needed

- Jouni

allow icmp dmz to inside

tolinrome tolinrome — Mon, 06 Jan 2014 21:38:42 GMT

Hi Jouni,

Thanks. I already have hosts in the dmz that can access the inside and traffic is flowing fine from outside to dmz to inside and vice versa.

I would like to know how to create the acl for a new host and allow the acl rule to allow icmp.

allow icmp dmz to inside

Jouni Forss — Mon, 06 Jan 2014 21:42:49 GMT

Hi,

Well from the above this ACL rule allows the ICMP Echo from DMZ to INSIDE

access-list DMZ-IN permit icmp 192.168.10.0 255.255.255.0 10.10.10.0 255.255.255.0 echo

If you are using an existing ACL on the DMZ interface then this would have to be added to that ACL with the correct IP address information to allow the traffic.

If you have no ACL on the DMZ interface then if DMZ hosts can already connect to INSIDE then they should also be able to ICMP the hosts on the INSIDE provided that the INSIDE hosts reply to ICMP. Its possible the hosts software firewalls block that.

Without seeing any configurations its impossible for me to give any specific instructions.

- Jouni

allow icmp dmz to inside

tolinrome tolinrome — Mon, 06 Jan 2014 22:13:55 GMT

is it possible to have th erule only allow one host on the dmz to ping the inside interface?

If I enter the command you suggested it looks liek that will enable for the entire interface. But if I only want a host on the dmz to ping a host inside I tried:

access-list DMZ-IN permit icmp 192.168.10.50 255.255.255.0 10.10.10.40 255.255.255.0 echo

and the error says 192.168.10.50 0.0.0.0> doesn't pair

Re: allow icmp dmz to inside

Jouni Forss — Mon, 06 Jan 2014 22:17:01 GMT

Hi,

Then you would use this format

access-list DMZ-IN permit icmp host 192.168.10.50 10.10.10.40 255.255.255.0 echo

The "host" parameter defines that a single host IP address will follow. This would allow only the single source host.

Naturally the the IP addresses I used in my example are made up and you should use the ones you have configured in your network.

Hope this helps

- Jouni