Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

allow icmp dmz to inside

In asa version 9.x how can I allow icmp (ping) from hosts in the dmz to the inside interface?

Thanks.

  • Firewalling
Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions
Super Bronze

Re: allow icmp dmz to inside

Hi,

Then you would use this format

access-list DMZ-IN permit icmp host 192.168.10.50 10.10.10.40 255.255.255.0 echo

The "host" parameter defines that a single host IP address will follow. This would allow only the single source host.

Naturally the the IP addresses I used in my example are made up and you should use the ones you have configured in your network.

Hope this helps

- Jouni

7 REPLIES
Super Bronze

allow icmp dmz to inside

Hi,

There should not be much that needs to be done.

Would be easier to see the actual firewall configuration to see the reason why it might not be working at the moment.

If I were to presume that you dont have any ACL configured on the "dmz" interface of the ASA and that the "dmz" interface of the ASA is of lower "security-level" than the "inside" interface then you would have to configure an ACL and attach it to the "dmz" interface to both allow traffic out to the Internet from the "dmz" and also allow traffic that you need (for example ICMP) to the "inside".

In your software level you would not really need any NAT configurations between the "dmz" and the "inside" like it was in the older software levels so I would imagine that should not be the case.

You could also add ICMP Inspection to your configurations unless they are already present.

You should be able to check current "policy-map" configurations on the ASA with the following command

show run policy-map

Usually there is the default "policy-map" configuration and its usually attached globally which you can check with the command

show run service-policy

You should be able to either enter the following commands under the "policy-map" configurations

inspect icmp

inspect icmp error

Or try to insert the following old format commands

fixup protocol icmp error

If there is still some problems would really need to look at the actual configurations and probably take some "packet-tracer" outputs

For example

packet-tracer input icmp 8 0

In some cases its also good to check the actual destination hosts since they might be blocking the ICMP and not the firewall.

Hope this helps

- Jouni

allow icmp dmz to inside

Thanks for all that information but for now I just need to know how to simply create the acl in the cli to allow from the dmz to inside.

Super Bronze

allow icmp dmz to inside

Hi,

Well there are still some things to consider.

If I were to create an ACL that simply only allows ICMP from the DMZ to the INSIDE then that would mean that all other traffic would be blocked and I don't know what other traffic should be allowed.

If I were to presume the following information to start with

  • INSIDE = 10.10.10.0/24
  • DMZ = 192.168.10.0/24
  • Allow ICMP traffic from DMZ->INSIDE but block all other traffic in this direction
  • Allow DMZ->OUTSIDE traffic
  • DMZ interface "nameif" is "dmz"

Then I would configure a simple ACL like this

access-list DMZ-IN remark Allow ICMP to INSIDE

access-list DMZ-IN permit icmp 192.168.10.0 255.255.255.0 10.10.10.0 255.255.255.0 echo

access-list DMZ-IN remark Block other traffic to INSIDE

access-list DMZ-IN deny ip 192.168.10.0 255.255.255.0 10.10.10.0 255.255.255.0

access-list DMZ-IN remark Allow all other outbound traffic to OUTSIDE

access-list DMZ-IN permit ip 192.168.10.0 255.255.255.0 any

access-group DMZ-IN in interface dmz

Hope this helps

Please do remember to mark a reply as the correct answer if it answered your question.

Feel free to ask more if needed

- Jouni

allow icmp dmz to inside

Hi Jouni,

Thanks. I already have hosts in the dmz that can access the inside and traffic is flowing fine from outside to dmz to inside and vice versa.

I would like to know how to create the acl for a new host and allow the acl rule to allow icmp.

Super Bronze

allow icmp dmz to inside

Hi,

Well from the above this ACL rule allows the ICMP Echo from DMZ to INSIDE

access-list DMZ-IN permit icmp 192.168.10.0 255.255.255.0 10.10.10.0 255.255.255.0 echo

If you are using an existing ACL on the DMZ interface then this would have to be added to that ACL with the correct IP address information to allow the traffic.

If you have no ACL on the DMZ interface then if DMZ hosts can already connect to INSIDE then they should also be able to ICMP the hosts on the INSIDE provided that the INSIDE hosts reply to ICMP. Its possible the hosts software firewalls block that.

Without seeing any configurations its impossible for me to give any specific instructions.

- Jouni

allow icmp dmz to inside

is it possible to have th erule only allow one host on the dmz to ping the inside interface?

If I enter the command you suggested it looks liek that will enable for the entire interface. But if I only want a host on the dmz to ping a host inside I tried:

access-list DMZ-IN permit icmp 192.168.10.50 255.255.255.0 10.10.10.40 255.255.255.0 echo

and the error says 192.168.10.50 0.0.0.0> doesn't pair

Super Bronze

Re: allow icmp dmz to inside

Hi,

Then you would use this format

access-list DMZ-IN permit icmp host 192.168.10.50 10.10.10.40 255.255.255.0 echo

The "host" parameter defines that a single host IP address will follow. This would allow only the single source host.

Naturally the the IP addresses I used in my example are made up and you should use the ones you have configured in your network.

Hope this helps

- Jouni

284
Views
0
Helpful
7
Replies
This widget could not be displayed.