Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

ICMP asa configs

Unanswered Question
Feb 14th, 2014
User Badges:

My network is set up as follows

I have a checkpoint with the following connections

     -one internal extended network

     -hq network  (main internal network)  

     -DMZ ->between checkpoint and asa

I have an ASA that has the following connections

     -DMZ ->between asa and checkpoint

     -HQ network (main internal network)

Currently the inside interface of the ASA allows any icmp packets through (access-list acl_inside extended permit icmp any any)

on  the outside interface we allow ICMP type 11 for traceroute  troubleshooting with ATT (access-list acl_outside extended permit icmp  object-group outside_att object-group Internal-Network time-exceeded)

The  situation is this, I need to allow troubleshooting access back into the  ASA from the internal extended network (behind the CP).  So for example  if the extended internal network needs to ping or traceroute to  google.com for troubleshooting purposes. Internal 'extended network'  ->'CP' ->'ASA' ->google.com

What  would be the safest configuration on the ASA to allow this to happen?  Currently there are no rules set to allow ICMP out of the ASA from the  extended internal. However from the internal HQ network we can  ping/trace through the inside int on the ASA and then back in through  the external int.

Would it be safe to traverse the HQ network  (from Checkpoint to ASA)  ICMP type 11?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)


This Discussion

Related Content