02-06-2014 10:08 AM - edited 03-11-2019 08:41 PM
Hello,
Im trying to find the safest option (or alternative) to allow Icmp back into my network from the DMZ in order to troubleshoot. I know its incredibly unsafe to allow ICMP in case the DMZ gets compromised. Requirements need me to alow ICMP return traffic from the DMZ to an entire subnet.
here is what I have so far (I was thinking ICMP 11 would work)
access-list acl_outside extended permit icmp object-group DMZhosts object-group Internal-Network time-exceeded
all help is appreciated!
G
Solved! Go to Solution.
02-06-2014 10:14 AM
Hi,
Your ACL name would seem to refer to an external interface and not the a DMZ interface but naturally cant say for sure as dont know the configuration.
If your aim is to allow LAN networks to ICMP the DMZ and allow the return traffic then to my understanding ICMP Inspection should be enough to have this work and you would not need to allow anything from the DMZ as the ASA should automatically allow the ICMP Echo Reply messages back. You could also add ICMP Error inspection.
Typically you add these to your "policy-map" configuration that is by default attached globally on the ASA if you have not removed those configurations.
Then you would simply have to allow ICMP from the required LAN networks to the DMZ on the LAN interfaces ACL.
- Jouni
02-06-2014 10:29 AM
Hi,
To my understanding if you just configure ICMP Inspection / ICMP Error Inspection you wont have to even allow ICMP from the DMZ to any network.
The ASA will keep track of the ICMP connections initiated from the LAN networks that you use for troubleshooting and allow the return messages through from the DMZ back to the LAN.
Your DMZ interface ACL would not have to allow any kind of ICMP through.
- Jouni
02-06-2014 10:14 AM
Hi,
Your ACL name would seem to refer to an external interface and not the a DMZ interface but naturally cant say for sure as dont know the configuration.
If your aim is to allow LAN networks to ICMP the DMZ and allow the return traffic then to my understanding ICMP Inspection should be enough to have this work and you would not need to allow anything from the DMZ as the ASA should automatically allow the ICMP Echo Reply messages back. You could also add ICMP Error inspection.
Typically you add these to your "policy-map" configuration that is by default attached globally on the ASA if you have not removed those configurations.
Then you would simply have to allow ICMP from the required LAN networks to the DMZ on the LAN interfaces ACL.
- Jouni
02-06-2014 10:26 AM
"access-list acl_dmz extended permit icmp object-group DMZhosts object-group Internal-Network time-exceeded" would work then assuming I just wanted to perform troubleshooting by running traceroutes from the internal networks. Another question I would have is how would I mitigate ICMP attacks if the DMZ was somehow compromised?
02-06-2014 10:29 AM
Hi,
To my understanding if you just configure ICMP Inspection / ICMP Error Inspection you wont have to even allow ICMP from the DMZ to any network.
The ASA will keep track of the ICMP connections initiated from the LAN networks that you use for troubleshooting and allow the return messages through from the DMZ back to the LAN.
Your DMZ interface ACL would not have to allow any kind of ICMP through.
- Jouni
02-06-2014 10:37 AM
Excellent thank you so much !
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide