Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ICMP from dmz

Hello,

Im trying to find the safest option (or alternative) to allow Icmp back into my network from the DMZ in order to troubleshoot. I know its incredibly unsafe to allow ICMP in case the DMZ gets compromised.  Requirements need me to alow ICMP return traffic from the DMZ to an entire subnet.

here is what I have so far (I was thinking ICMP 11 would work)

access-list acl_outside extended permit icmp object-group DMZhosts object-group Internal-Network time-exceeded

all help is appreciated!

G

2 ACCEPTED SOLUTIONS

Accepted Solutions
Super Bronze

ICMP from dmz

Hi,

Your ACL name would seem to refer to an external interface and not the a DMZ interface but naturally cant say for sure as dont know the configuration.

If your aim is to allow LAN networks to ICMP the DMZ and allow the return traffic then to my understanding ICMP Inspection should be enough to have this work and you would not need to allow anything from the DMZ as the ASA should automatically allow the ICMP Echo Reply messages back. You could also add ICMP Error inspection.

Typically you add these to your "policy-map" configuration that is by default attached globally on the ASA if you have not removed those configurations.

Then you would simply have to allow ICMP from the required LAN networks to the DMZ on the LAN interfaces ACL.

- Jouni

Super Bronze

Re: ICMP from dmz

Hi,

To my understanding if you just configure ICMP Inspection / ICMP Error Inspection you wont have to even allow ICMP from the DMZ to any network.

The ASA will keep track of the ICMP connections initiated from the LAN networks that you use for troubleshooting and allow the return messages through from the DMZ back to the LAN.

Your DMZ interface ACL would not have to allow any kind of ICMP through.

- Jouni

4 REPLIES
Super Bronze

ICMP from dmz

Hi,

Your ACL name would seem to refer to an external interface and not the a DMZ interface but naturally cant say for sure as dont know the configuration.

If your aim is to allow LAN networks to ICMP the DMZ and allow the return traffic then to my understanding ICMP Inspection should be enough to have this work and you would not need to allow anything from the DMZ as the ASA should automatically allow the ICMP Echo Reply messages back. You could also add ICMP Error inspection.

Typically you add these to your "policy-map" configuration that is by default attached globally on the ASA if you have not removed those configurations.

Then you would simply have to allow ICMP from the required LAN networks to the DMZ on the LAN interfaces ACL.

- Jouni

New Member

ICMP from dmz

"access-list acl_dmz extended permit icmp object-group DMZhosts object-group Internal-Network time-exceeded" would work then assuming I just wanted to perform troubleshooting by running traceroutes from the internal networks.   Another question I would have is how would I mitigate ICMP attacks if the DMZ was somehow compromised?

Super Bronze

Re: ICMP from dmz

Hi,

To my understanding if you just configure ICMP Inspection / ICMP Error Inspection you wont have to even allow ICMP from the DMZ to any network.

The ASA will keep track of the ICMP connections initiated from the LAN networks that you use for troubleshooting and allow the return messages through from the DMZ back to the LAN.

Your DMZ interface ACL would not have to allow any kind of ICMP through.

- Jouni

New Member

Re: ICMP from dmz

Excellent thank you so much !

135
Views
0
Helpful
4
Replies