As I am sure many of you who have ever worked with a Cisco firewall
know, ICMP is not allowed through the firewall by default. If you are
just configuring the device, this can make it very difficult to
troubleshoot connectivity issues. Thankfully, there are several ways to
get around this.
Solution 1: Use access-lists to allow pings from inside/DMZ to the outside.
To allow pinging from the inside to the outside interfaces, you will need to configure an access-list for the outside interface.
This will allow only ping. If you would like to allow trace route, you will also need to allow time-exceeded.
Solution 2: Use access-list to allow ping and trace route from the internet to your dmz/inside servers.
To do this, we are going to build off of what we did above, so you should already have this in the config.
Now all we need to do is allow echo into the network.
Even though we are allowing icmp, we still need to have a static mapping to allow the packets to reach the DMZ.
Solution 3: This is a bit more complex, but will allow higher security level interfaces to ping/trace route lower security level interfaces without the use of access-lists. To do this, we will tell the ASA to inspect icmp in a service policy. If you are using a ASA, you should have a default policy in the base config called
global_policy.
global_policy:
Solution 1: Use access-lists to allow pings from inside/DMZ to the outside.
To allow pinging from the inside to the outside interfaces, you will need to configure an access-list for the outside interface.
access-list OUTSIDE_IN_ACL permit icmp any any echo-reply
************************************************
Then apply the access-list to the outside interface.
access-group OUTSIDE_IN_ACL in interface outside
*****************************************
access-list OUTSIDE_IN_ACL permit icmp any any time-exceeded
***************************************************
To do this, we are going to build off of what we did above, so you should already have this in the config.
access-list OUTSIDE_IN_ACL permit icmp any any echo-reply
access-list OUTSIDE_IN_ACL permit icmp any any time-exceeded
access-group OUTSIDE_IN_ACL in interface outside
access-list OUTSIDE_IN_ACL permit icmp any any time-exceeded
access-group OUTSIDE_IN_ACL in interface outside
*****************************************
access-list OUTSIDE_IN_ACL permit icmp any any echo
********************************************
static (dmz,outside) PUBLIC_IP DMZ_IP netmask 255.255.255.255
*****************************************************
Of course, you will need to have a static mapping for every server you want to have reachable from the internet.Solution 3: This is a bit more complex, but will allow higher security level interfaces to ping/trace route lower security level interfaces without the use of access-lists. To do this, we will tell the ASA to inspect icmp in a service policy. If you are using a ASA, you should have a default policy in the base config called
global_policy.
global_policy:
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
**************************
To add icmp inspection.
FW-ASA(config)# policy-map global_policy
FW-ASA(config-pmap)# class inspection_default
FW-ASA(config-pmap-c)# inspect icmp
FW-ASA(config-pmap)# class inspection_default
FW-ASA(config-pmap-c)# inspect icmp
******************************
No comments:
Post a Comment