hi...we have a checkpoint firewall at our site..and we have a pix firewall at my clients place...we connect to that using site -site vpn...the acl used to be any any...but we have added some ports to our clients fw and allowed icmp also...and we closed the remamining ports...after this we are not able to ping each other ....but we r able to reach the applications and they r working fine...wats the problem..
You may also ask the customer with the pix to run a debug icmp trace command, then preform tests to see the packets are processed. I will share that I am having problems pinging from our asa/pix as the source to devices inside the vpn tunnel at the other end. Pings do work fine however between devices connected behind the firewalls at both ends of the tunnel.
In my debugs, I found that the asa/pix sources it's address in the pings as the external public address associated to the outside interface.
Understandably this address should never be allowed to ping an internal private address on the the other end of the tunnel.
I am about to open a discussion forum inquiring on this as well as a tac case.
Good luck with your tests and please rate if this is helpful.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...