cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
927
Views
0
Helpful
4
Replies

ICMP from dmz

gbudesheim
Level 1
Level 1

Hello,

Im trying to find the safest option (or alternative) to allow Icmp back into my network from the DMZ in order to troubleshoot. I know its incredibly unsafe to allow ICMP in case the DMZ gets compromised.  Requirements need me to alow ICMP return traffic from the DMZ to an entire subnet.

here is what I have so far (I was thinking ICMP 11 would work)

access-list acl_outside extended permit icmp object-group DMZhosts object-group Internal-Network time-exceeded

all help is appreciated!

G

2 Accepted Solutions

Accepted Solutions

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

Your ACL name would seem to refer to an external interface and not the a DMZ interface but naturally cant say for sure as dont know the configuration.

If your aim is to allow LAN networks to ICMP the DMZ and allow the return traffic then to my understanding ICMP Inspection should be enough to have this work and you would not need to allow anything from the DMZ as the ASA should automatically allow the ICMP Echo Reply messages back. You could also add ICMP Error inspection.

Typically you add these to your "policy-map" configuration that is by default attached globally on the ASA if you have not removed those configurations.

Then you would simply have to allow ICMP from the required LAN networks to the DMZ on the LAN interfaces ACL.

- Jouni

View solution in original post

Hi,

To my understanding if you just configure ICMP Inspection / ICMP Error Inspection you wont have to even allow ICMP from the DMZ to any network.

The ASA will keep track of the ICMP connections initiated from the LAN networks that you use for troubleshooting and allow the return messages through from the DMZ back to the LAN.

Your DMZ interface ACL would not have to allow any kind of ICMP through.

- Jouni

View solution in original post

4 Replies 4

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

Your ACL name would seem to refer to an external interface and not the a DMZ interface but naturally cant say for sure as dont know the configuration.

If your aim is to allow LAN networks to ICMP the DMZ and allow the return traffic then to my understanding ICMP Inspection should be enough to have this work and you would not need to allow anything from the DMZ as the ASA should automatically allow the ICMP Echo Reply messages back. You could also add ICMP Error inspection.

Typically you add these to your "policy-map" configuration that is by default attached globally on the ASA if you have not removed those configurations.

Then you would simply have to allow ICMP from the required LAN networks to the DMZ on the LAN interfaces ACL.

- Jouni

"access-list acl_dmz extended permit icmp object-group DMZhosts object-group Internal-Network time-exceeded" would work then assuming I just wanted to perform troubleshooting by running traceroutes from the internal networks.   Another question I would have is how would I mitigate ICMP attacks if the DMZ was somehow compromised?

Hi,

To my understanding if you just configure ICMP Inspection / ICMP Error Inspection you wont have to even allow ICMP from the DMZ to any network.

The ASA will keep track of the ICMP connections initiated from the LAN networks that you use for troubleshooting and allow the return messages through from the DMZ back to the LAN.

Your DMZ interface ACL would not have to allow any kind of ICMP through.

- Jouni

Excellent thank you so much !

Review Cisco Networking for a $25 gift card