Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

ICMP asa configs

My network is set up as follows

I have a checkpoint with the following connections

     -one internal extended network

     -hq network  (main internal network)  

     -DMZ ->between checkpoint and asa

I have an ASA that has the following connections

     -DMZ ->between asa and checkpoint

     -HQ network (main internal network)

Currently the inside interface of the ASA allows any icmp packets through (access-list acl_inside extended permit icmp any any)

on  the outside interface we allow ICMP type 11 for traceroute  troubleshooting with ATT (access-list acl_outside extended permit icmp  object-group outside_att object-group Internal-Network time-exceeded)

The  situation is this, I need to allow troubleshooting access back into the  ASA from the internal extended network (behind the CP).  So for example  if the extended internal network needs to ping or traceroute to for troubleshooting purposes. Internal 'extended network'  ->'CP' ->'ASA' ->

What  would be the safest configuration on the ASA to allow this to happen?  Currently there are no rules set to allow ICMP out of the ASA from the  extended internal. However from the internal HQ network we can  ping/trace through the inside int on the ASA and then back in through  the external int.

Would it be safe to traverse the HQ network  (from Checkpoint to ASA)  ICMP type 11?

CreatePlease to create content