My network is set up as follows
I have a checkpoint with the following connections
-one internal extended network
-hq network (main internal network)
-DMZ ->between checkpoint and asa
I have an ASA that has the following connections
-DMZ ->between asa and checkpoint
-HQ network (main internal network)
Currently the inside interface of the ASA allows any icmp packets through (access-list acl_inside extended permit icmp any any)
on the outside interface we allow ICMP type 11 for traceroute troubleshooting with ATT (access-list acl_outside extended permit icmp object-group outside_att object-group Internal-Network time-exceeded)
The situation is this, I need to allow troubleshooting access back into the ASA from the internal extended network (behind the CP). So for example if the extended internal network needs to ping or traceroute to google.com for troubleshooting purposes. Internal 'extended network' ->'CP' ->'ASA' ->google.com
What would be the safest configuration on the ASA to allow this to happen? Currently there are no rules set to allow ICMP out of the ASA from the extended internal. However from the internal HQ network we can ping/trace through the inside int on the ASA and then back in through the external int.
Would it be safe to traverse the HQ network (from Checkpoint to ASA) ICMP type 11?