Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

icmp problem

hi...we have a checkpoint firewall at our site..and we have a pix firewall at my clients place...we connect to that using site -site vpn...the acl used to be any any...but we have added some ports to our clients fw and allowed icmp also...and we closed the remamining ports...after this we are not able to ping each other ....but we r able to reach the applications and they r working fine...wats the problem..

4 REPLIES
Hall of Fame Super Blue

Re: icmp problem

Hi

It's difficult to say without seeing configs. The only thing that springs to mind is that ICMP is not stateful in the way that TCP is and you have to let it in and out explicity.

Is there any chance that by updating your access-lists you have inadvertently stopped this.

HTH

Jon

New Member

Re: icmp problem

thanks jon...

we hav configured the acl statement to be acl intranet icmp any any...is there a problem ..bcoz...we both cant ping each other..we hav a chkpoint fw in our end...

Hall of Fame Super Blue

Re: icmp problem

Hi

Do you mean pinging from a client on one network to a client on the other.

If your applications are working but icmp not and you have allowed icmp in then it sounds like icmp is getting blocked on the return path.

Could you send pix config (sanitised).

Jon

New Member

Re: icmp problem

Hi,

You may also ask the customer with the pix to run a debug icmp trace command, then preform tests to see the packets are processed. I will share that I am having problems pinging from our asa/pix as the source to devices inside the vpn tunnel at the other end. Pings do work fine however between devices connected behind the firewalls at both ends of the tunnel.

In my debugs, I found that the asa/pix sources it's address in the pings as the external public address associated to the outside interface.

Understandably this address should never be allowed to ping an internal private address on the the other end of the tunnel.

I am about to open a discussion forum inquiring on this as well as a tac case.

Good luck with your tests and please rate if this is helpful.

-Scott

100
Views
0
Helpful
4
Replies