icmp problem

Unanswered Question
May 7th, 2007

hi...we have a checkpoint firewall at our site..and we have a pix firewall at my clients place...we connect to that using site -site vpn...the acl used to be any any...but we have added some ports to our clients fw and allowed icmp also...and we closed the remamining ports...after this we are not able to ping each other ....but we r able to reach the applications and they r working fine...wats the problem..

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Tue, 05/08/2007 - 00:32

Hi

It's difficult to say without seeing configs. The only thing that springs to mind is that ICMP is not stateful in the way that TCP is and you have to let it in and out explicity.

Is there any chance that by updating your access-lists you have inadvertently stopped this.

HTH

Jon

prudhvi83 Tue, 05/08/2007 - 00:40

thanks jon...

we hav configured the acl statement to be acl intranet icmp any any...is there a problem ..bcoz...we both cant ping each other..we hav a chkpoint fw in our end...

Jon Marshall Tue, 05/08/2007 - 00:59

Hi

Do you mean pinging from a client on one network to a client on the other.

If your applications are working but icmp not and you have allowed icmp in then it sounds like icmp is getting blocked on the return path.

Could you send pix config (sanitised).

Jon

swharvey Wed, 05/16/2007 - 10:45

Hi,

You may also ask the customer with the pix to run a debug icmp trace command, then preform tests to see the packets are processed. I will share that I am having problems pinging from our asa/pix as the source to devices inside the vpn tunnel at the other end. Pings do work fine however between devices connected behind the firewalls at both ends of the tunnel.

In my debugs, I found that the asa/pix sources it's address in the pings as the external public address associated to the outside interface.

Understandably this address should never be allowed to ping an internal private address on the the other end of the tunnel.

I am about to open a discussion forum inquiring on this as well as a tac case.

Good luck with your tests and please rate if this is helpful.

-Scott

Actions

This Discussion