icmp problem

Unanswered Question
May 7th, 2007
User Badges:

hi...we have a checkpoint firewall at our site..and we have a pix firewall at my clients place...we connect to that using site -site vpn...the acl used to be any any...but we have added some ports to our clients fw and allowed icmp also...and we closed the remamining ports...after this we are not able to ping each other ....but we r able to reach the applications and they r working fine...wats the problem..

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Tue, 05/08/2007 - 00:32
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi


It's difficult to say without seeing configs. The only thing that springs to mind is that ICMP is not stateful in the way that TCP is and you have to let it in and out explicity.


Is there any chance that by updating your access-lists you have inadvertently stopped this.


HTH


Jon

prudhvi83 Tue, 05/08/2007 - 00:40
User Badges:

thanks jon...

we hav configured the acl statement to be acl intranet icmp any any...is there a problem ..bcoz...we both cant ping each other..we hav a chkpoint fw in our end...

Jon Marshall Tue, 05/08/2007 - 00:59
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi


Do you mean pinging from a client on one network to a client on the other.


If your applications are working but icmp not and you have allowed icmp in then it sounds like icmp is getting blocked on the return path.


Could you send pix config (sanitised).


Jon

swharvey Wed, 05/16/2007 - 10:45
User Badges:

Hi,


You may also ask the customer with the pix to run a debug icmp trace command, then preform tests to see the packets are processed. I will share that I am having problems pinging from our asa/pix as the source to devices inside the vpn tunnel at the other end. Pings do work fine however between devices connected behind the firewalls at both ends of the tunnel.


In my debugs, I found that the asa/pix sources it's address in the pings as the external public address associated to the outside interface.


Understandably this address should never be allowed to ping an internal private address on the the other end of the tunnel.


I am about to open a discussion forum inquiring on this as well as a tac case.


Good luck with your tests and please rate if this is helpful.


-Scott

Actions

This Discussion