01-06-2014 12:19 PM - edited 03-11-2019 08:25 PM
In asa version 9.x how can I allow icmp (ping) from hosts in the dmz to the inside interface?
Thanks.
Solved! Go to Solution.
01-06-2014 02:17 PM
Hi,
Then you would use this format
access-list DMZ-IN permit icmp host 192.168.10.50 10.10.10.40 255.255.255.0 echo
The "host" parameter defines that a single host IP address will follow. This would allow only the single source host.
Naturally the the IP addresses I used in my example are made up and you should use the ones you have configured in your network.
Hope this helps
- Jouni
01-06-2014 12:32 PM
Hi,
There should not be much that needs to be done.
Would be easier to see the actual firewall configuration to see the reason why it might not be working at the moment.
If I were to presume that you dont have any ACL configured on the "dmz" interface of the ASA and that the "dmz" interface of the ASA is of lower "security-level" than the "inside" interface then you would have to configure an ACL and attach it to the "dmz" interface to both allow traffic out to the Internet from the "dmz" and also allow traffic that you need (for example ICMP) to the "inside".
In your software level you would not really need any NAT configurations between the "dmz" and the "inside" like it was in the older software levels so I would imagine that should not be the case.
You could also add ICMP Inspection to your configurations unless they are already present.
You should be able to check current "policy-map" configurations on the ASA with the following command
show run policy-map
Usually there is the default "policy-map" configuration and its usually attached globally which you can check with the command
show run service-policy
You should be able to either enter the following commands under the "policy-map" configurations
inspect icmp
inspect icmp error
Or try to insert the following old format commands
fixup protocol icmp error
If there is still some problems would really need to look at the actual configurations and probably take some "packet-tracer" outputs
For example
packet-tracer input
In some cases its also good to check the actual destination hosts since they might be blocking the ICMP and not the firewall.
Hope this helps
- Jouni
01-06-2014 01:16 PM
Thanks for all that information but for now I just need to know how to simply create the acl in the cli to allow from the dmz to inside.
01-06-2014 01:28 PM
Hi,
Well there are still some things to consider.
If I were to create an ACL that simply only allows ICMP from the DMZ to the INSIDE then that would mean that all other traffic would be blocked and I don't know what other traffic should be allowed.
If I were to presume the following information to start with
Then I would configure a simple ACL like this
access-list DMZ-IN remark Allow ICMP to INSIDE
access-list DMZ-IN permit icmp 192.168.10.0 255.255.255.0 10.10.10.0 255.255.255.0 echo
access-list DMZ-IN remark Block other traffic to INSIDE
access-list DMZ-IN deny ip 192.168.10.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list DMZ-IN remark Allow all other outbound traffic to OUTSIDE
access-list DMZ-IN permit ip 192.168.10.0 255.255.255.0 any
access-group DMZ-IN in interface dmz
Hope this helps
Please do remember to mark a reply as the correct answer if it answered your question.
Feel free to ask more if needed
- Jouni
01-06-2014 01:38 PM
Hi Jouni,
Thanks. I already have hosts in the dmz that can access the inside and traffic is flowing fine from outside to dmz to inside and vice versa.
I would like to know how to create the acl for a new host and allow the acl rule to allow icmp.
01-06-2014 01:42 PM
Hi,
Well from the above this ACL rule allows the ICMP Echo from DMZ to INSIDE
access-list DMZ-IN permit icmp 192.168.10.0 255.255.255.0 10.10.10.0 255.255.255.0 echo
If you are using an existing ACL on the DMZ interface then this would have to be added to that ACL with the correct IP address information to allow the traffic.
If you have no ACL on the DMZ interface then if DMZ hosts can already connect to INSIDE then they should also be able to ICMP the hosts on the INSIDE provided that the INSIDE hosts reply to ICMP. Its possible the hosts software firewalls block that.
Without seeing any configurations its impossible for me to give any specific instructions.
- Jouni
01-06-2014 02:13 PM
is it possible to have th erule only allow one host on the dmz to ping the inside interface?
If I enter the command you suggested it looks liek that will enable for the entire interface. But if I only want a host on the dmz to ping a host inside I tried:
access-list DMZ-IN permit icmp 192.168.10.50 255.255.255.0 10.10.10.40 255.255.255.0 echo
and the error says 192.168.10.50 0.0.0.0> doesn't pair
01-06-2014 02:17 PM
Hi,
Then you would use this format
access-list DMZ-IN permit icmp host 192.168.10.50 10.10.10.40 255.255.255.0 echo
The "host" parameter defines that a single host IP address will follow. This would allow only the single source host.
Naturally the the IP addresses I used in my example are made up and you should use the ones you have configured in your network.
Hope this helps
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide