×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

ping from lower security interface to a higher

Unanswered Question
Oct 21st, 2013
User Badges:

Hello,


I have a Cisco 5520 ASA firewall with a direct connection to a Checkpoint firewall.  On the inside network of my ASA i have a server that needs to ping a server on the dmz on the Checkpoint and vice versa.  So i have the correct routing and firewall rules on both devices.


I can successfully ping from my server on the INSIDE interface on the cisco asa to the server on the DMZ on Checkpoint but i cant ping in the other direction.


Q Is this because i am trying to go from a lower security interface on the asa to a higher one?


I cant be sure if the error is on my asa or the checkpoint because neither is showing anything in the logs?


Everything else on both firewalls is fine.


regards,

Kevin

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jouni Forss Mon, 10/21/2013 - 12:05
User Badges:
  • Super Bronze, 10000 points or more

Hi,


Its hard to tell what the actual problem is at the moment.


With regards to the "security-level" value, the situation is if the interface doesn't have an ACL configured on it then traffic sourced from networks behind it will be allowed to networks located behind interfaces of lower "security-level". If the source interface for the direction that is not working doesnt hold an ACL and has lower "security-level" than the destination interface then you will have to configure an interface ACL to allow this traffic.


Then again, the problem might be as simple as the server simply rejecting the ICMP Echo but allowing itself to ICMP Echo some remote destination and receive an Echo Reply for that. In other words, the server can ICMP remote hosts but wont accept ICMP Echo from remote hosts. It might reply to hosts on the directly connected network. So if there is no clear reason for the traffic to not go through I would consider checking the server software firewall.


It might also be that the working direction has been configured with Dynamic PAT and there is no correct translation for the other direction to enable sending ICMP to the server.


You can easily test the ASA configuration with the "packet-tracer" so that would be the first natural step to determening the reason of the problem or atleast narrowing it down.


packet-tracer input icmp 8 0


In the above command you would use the interface nameif behind which the ICMP Echo is coming from (8 0 = ICMP Echo). The source IP address is obvious. The destination IP address should be the NAT IP address of the server IF there is NAT being performed. If NO NAT is done for the destination then you naturally use the real IP address.


Hope this helps


- Jouni

Actions

This Discussion