Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3577
Views
0
Helpful
7
Replies

allow icmp dmz to inside

Go to solution
tolinrome tolinrome
Level 1
Level 1

‎01-06-2014 12:19 PM - edited ‎03-11-2019 08:25 PM

In asa version 9.x how can I allow icmp (ping) from hosts in the dmz to the inside interface?

Thanks.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to tolinrome tolinrome

‎01-06-2014 02:17 PM

Hi,

Then you would use this format

access-list DMZ-IN permit icmp host 192.168.10.50 10.10.10.40 255.255.255.0 echo

The "host" parameter defines that a single host IP address will follow. This would allow only the single source host.

Naturally the the IP addresses I used in my example are made up and you should use the ones you have configured in your network.

Hope this helps

- Jouni

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎01-06-2014 12:32 PM

Hi,

There should not be much that needs to be done.

Would be easier to see the actual firewall configuration to see the reason why it might not be working at the moment.

If I were to presume that you dont have any ACL configured on the "dmz" interface of the ASA and that the "dmz" interface of the ASA is of lower "security-level" than the "inside" interface then you would have to configure an ACL and attach it to the "dmz" interface to both allow traffic out to the Internet from the "dmz" and also allow traffic that you need (for example ICMP) to the "inside".

In your software level you would not really need any NAT configurations between the "dmz" and the "inside" like it was in the older software levels so I would imagine that should not be the case.

You could also add ICMP Inspection to your configurations unless they are already present.

You should be able to check current "policy-map" configurations on the ASA with the following command

show run policy-map

Usually there is the default "policy-map" configuration and its usually attached globally which you can check with the command

show run service-policy

You should be able to either enter the following commands under the "policy-map" configurations

inspect icmp

inspect icmp error

Or try to insert the following old format commands

fixup protocol icmp error

If there is still some problems would really need to look at the actual configurations and probably take some "packet-tracer" outputs

For example

packet-tracer input icmp 8 0

In some cases its also good to check the actual destination hosts since they might be blocking the ICMP and not the firewall.

Hope this helps

- Jouni

0 Helpful

Go to solution
tolinrome tolinrome
Level 1
Level 1
In response to Jouni Forss

‎01-06-2014 01:16 PM

Thanks for all that information but for now I just need to know how to simply create the acl in the cli to allow from the dmz to inside.

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to tolinrome tolinrome

‎01-06-2014 01:28 PM

Hi,

Well there are still some things to consider.

If I were to create an ACL that simply only allows ICMP from the DMZ to the INSIDE then that would mean that all other traffic would be blocked and I don't know what other traffic should be allowed.

If I were to presume the following information to start with

  • INSIDE = 10.10.10.0/24
  • DMZ = 192.168.10.0/24
  • Allow ICMP traffic from DMZ->INSIDE but block all other traffic in this direction
  • Allow DMZ->OUTSIDE traffic
  • DMZ interface "nameif" is "dmz"

Then I would configure a simple ACL like this

access-list DMZ-IN remark Allow ICMP to INSIDE

access-list DMZ-IN permit icmp 192.168.10.0 255.255.255.0 10.10.10.0 255.255.255.0 echo

access-list DMZ-IN remark Block other traffic to INSIDE

access-list DMZ-IN deny ip 192.168.10.0 255.255.255.0 10.10.10.0 255.255.255.0

access-list DMZ-IN remark Allow all other outbound traffic to OUTSIDE

access-list DMZ-IN permit ip 192.168.10.0 255.255.255.0 any

access-group DMZ-IN in interface dmz

Hope this helps

Please do remember to mark a reply as the correct answer if it answered your question.

Feel free to ask more if needed

- Jouni

0 Helpful

Go to solution
tolinrome tolinrome
Level 1
Level 1
In response to Jouni Forss

‎01-06-2014 01:38 PM

Hi Jouni,

Thanks. I already have hosts in the dmz that can access the inside and traffic is flowing fine from outside to dmz to inside and vice versa.

I would like to know how to create the acl for a new host and allow the acl rule to allow icmp.

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to tolinrome tolinrome

‎01-06-2014 01:42 PM

Hi,

Well from the above this ACL rule allows the ICMP Echo from DMZ to INSIDE

access-list DMZ-IN permit icmp 192.168.10.0 255.255.255.0 10.10.10.0 255.255.255.0 echo

If you are using an existing ACL on the DMZ interface then this would have to be added to that ACL with the correct IP address information to allow the traffic.

If you have no ACL on the DMZ interface then if DMZ hosts can already connect to INSIDE then they should also be able to ICMP the hosts on the INSIDE provided that the INSIDE hosts reply to ICMP. Its possible the hosts software firewalls block that.

Without seeing any configurations its impossible for me to give any specific instructions.

- Jouni

0 Helpful

Go to solution
tolinrome tolinrome
Level 1
Level 1
In response to Jouni Forss

‎01-06-2014 02:13 PM

is it possible to have th erule only allow one host on the dmz to ping the inside interface?

If I enter the command you suggested it looks liek that will enable for the entire interface. But if I only want a host on the dmz to ping a host inside I tried:

access-list DMZ-IN permit icmp 192.168.10.50 255.255.255.0 10.10.10.40 255.255.255.0 echo

and the error says 192.168.10.50 0.0.0.0> doesn't pair

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to tolinrome tolinrome

‎01-06-2014 02:17 PM

Hi,

Then you would use this format

access-list DMZ-IN permit icmp host 192.168.10.50 10.10.10.40 255.255.255.0 echo

The "host" parameter defines that a single host IP address will follow. This would allow only the single source host.

Naturally the the IP addresses I used in my example are made up and you should use the ones you have configured in your network.

Hope this helps

- Jouni

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card