Permitting pings from servers to external through CSS

Similar Messages

• Migrating Security from Native to External Authentication mode Servers

  Hi All,
  I am migrating applications from V7, V9 (doesn't use Shared services) to V11 (Shared Services Enabled) Essbase server.
  I am able to migrate the application definition using the Application Migration Wizard.
  Take level-0 export from the source server & load on the target server & do the default-calc or series of custom calcs depending upon the application's maintenance process.
  Using the Application Migration wizard, we can also migrate security only if both Source & Target servers use Native Authentication mode.
  This can be ruled out in my case as only Sources are native & Target is Shared services enabled.
  Here are few tools available to do bulk provisioning on a Shared Services enabled Essbase application -
  1. MAXL - Works great - But too tedious to create the MAXL statements based on the security definitions on the Source servers.
  2. CSS Import-Export utility - I heard it works only when both Source & Target are Shared services enabled. Can this be used for my case. Also heard many didn't find success with this one.
  3. LCM - Not sure if this can be used for security.
  Are there any other utilities?
  Has anyone done similar migrations before? Please let me know the best practice to do this.
  Appreciate your thoughts.
  -Ethan.

  It is much easier to go about that method, it is not always 100% successful with groups/users but gets most done.
  If you are past that stage then maybe try using the advanced security manager to extract security from your source environment.
  Then you could use the CSSImportExport Utility, first create a template from the information you extracted from your source and then run use the utility to provision users in the new environment.
  There are obviously other ways but that is the way I would prefer if using Shared services security.
  Cheers
  John
  http://john-goodwin.blogspot.com/

• When I try to drag the iphoto library to the external disk a forbidden (circle with slash through it) icon appear. Why do you suppose it is preventing me from adding to external drive? These are pictures I have taken. I believe it cannot find the origina

  When I try to drag the iphoto library to the external disk a forbidden (circle with slash through it) icon appear. Why do you suppose it is preventing me from adding to external drive? These are pictures I have taken. I believe it cannot find the original file.  Please help.
  Thanks.

  What happens if you try to  Option-drag the library to the EHD?  The same icon?
  Make sure the EHD is formatted Mac OS X Extended (journaled) with Ownership set to be ignored:
  OT

• Ping from CSS

  My CSS is currently in a one-armed transparent proxy configuration with multiple default gateways (as specified in Cisco's configuration example). When the CSS pings odd number IP addresses it sources the ping with its VLAN1 IP address.. If it pings even number IP addresses it sources the ping with its VLAN2 IP address. How can I control this? VLAN2 is an unpublished subnet between the SCA and CSS. All pings fail originating from VLAN2 because the remote client does not have a route to it. I would like the CSS to never originate pings from VLAN2 (unless it is pinging the SCA on VLAN2)
  Thanks.

  Hi Erik,
  having a look at your config you are having two (2) default routes.
  I think this causes the "trouble".
  From my point of view this has nothing to do with even or odd IP-Addresses but with loadsharing over two links on equal routing pathes.
  Why do you have the 2nd default route pointing to the SCA?
  You are having a service configured pointing to the SCA and this should be enough from my point of view.
  Do I miss something here?
  Kind Regards,
  Joerg Foerster

• WRT160Nv2 Cannot be pinged from external network

  Hi,
  My WRT160Nv2 can not be pinged from an external network. How do I configure the WRT160Nv2 reply to the ICMP requests from the external interface?
  Gerwin

  Login to your router setup page and click on the Security tab and below uncheck "Filter Anonymous Internet request" and click on Save Settings. Now try to ping from your external network and check if you are getting any response or not.

• How do I block pings from the outside to the ASA 5505 outside interface?

  I was asked to block pings from the internet to the outside interface of our ASA-5505 firewall.  I found a post that said to enter "icmp deny any outside", however that does not do it.
  I created an ACL to try and do the trick, also to no avail:
  access-list outside_in extended permit icmp any any echo-reply
  access-list outside_in in interface outside
  access-group outside_in in interface outside
  Anyone have a clue what I'm doing wrong?  I'm not the firewall guy as you can tell.  :/
  Thanks in advance...
  Block / Deny ICMP Echo (Ping) on Cisco ASA Outside Interface
  Most networks that you protect with a Cisco ASA device, will probably want to deny ICMP (maybe not all ICMP types, but a lot of network admins will want to block ICMP Echo, etc.) on the outside interface. This will make the network harder to find through external enumeration, but not impossible.
  ASA5505(config)#icmp deny any outside
  You will deny ICMP on the outside interface, but if you include ICMP as a protocol in the default global policy map, you can ping from the inside to any host on the outside, and it will be permitted back through the ASA, as it knows about the previous ICMP “connection

  You are allowing echo-reply, thus it will reply to a ping
  try this ACL:
  icmp deny any echo-reply outside
  From: 
  https://supportforums.cisco.com/thread/223769
  Eric

• My efforts to remove malware from a network external hard drive connected to my Intel based iMac is now causing programs to hang when I try to open them.

  I own an iMac, recently updated with OSX 10.75. It is the core computer on a home network shared with an iPad, Apple TV, two network printers,my wife's laptop, two iPhone, a BlackBerry and a BlackBerry Playbook. I am experiencing three if not four problems that are overwhelming.
  My original problem is associated with Windows emails files or documents  stored on my external network  hard drive. One or more has malware and is sending malware laced files across the Internet to points unknown.  As someone pointed out in a forum my iMac may be hosting,sharing and propagating Windows malware.  I originally used Trend Micro software on my IMac to monitor any viral activity. Two weeks ago I noticed a number of notices from servers around the world saying my message was not undelivered. Since I had sent messages to the people I simply deleted the emails. Next I noticed the emails on my BlackBerry and my BlackBerry playbook.I configured the Trend to do a complete scan and although it did a complete scan it did not perform a full network scan. It did identify a series of .x27 document files with the same name tbut each had a sequential number. I assumed hat these were the source files that had  sent out the email documents selling Viagara and othernproducts.  I manually deleted thousands of the source documents and the files. This caused some disruption to my computer but it did not produce a hardware or software problem. By following this effort in conjunction with security scans I do believe the malware was activated by Iranian students who were able to activate the malware through my BlackBerry and BlackBerry Playbook.  I learned this from an encounter I had when trying tondelete these files on my computer and my BlackBerry.
  When using my PlayBook after deleting the files from my computer I noticed more messages being returned from servers.  I realized that email accounts connected to my BlackBerry and BB Playbookn were not protected from this problem. As I searched for remedies I learned about turning on the firewall in the previous version of Lion but that did not stop the BlackBerry problem. Each time I deleted a source file on my computer more documents were released. I eventually received McAfee from my ISP. It provided security on the entire network. My first full scan of my external drive identified two malware files. One of them was associated with the Cialis ad the other was from a firm in the Middle East called ADP.  it could not remove the latter file.
  Moreover each time I attempted to remove the source file from my hard drive a file labeled A239A076F would show up on my Blackberry.  As I removed them thousands of these files would show up.  Ultimately I eventually disconnected the external hard drive and removed the battery from the phone and not use the email accounts these messages had used to enter my iMac.  I am contacting ATT about BlackBerry data security and switching to a different phone for business purposes. I will probably change to an iPhone or Android phone for business purposes.  I am also looking at ways to resolve the malware on that drive. There are a number of business and personal files on thatbdrive that I hope to keep. I dread having to pay McAfee to configure the software to eradicate the malware.
  Moving on...last week I updated my iMac to 10.75. It simultaneously updated every Apple based program as promised. It did not update the non-Apple programs.  I am not an IT professional and assumed that it had done so.  On Saturday I attempted to download a file associated with my router extender using my untethered Playbook and BlackBerry desktop software. The program hung. I attempted a reboot and it reopened with the hung program.  It created an alias file on the desktop.  My inclination led to put the alias file in the trash can and delete it. My computer did not respond well to that action. It has been rebooted with Cmd-s-esc tens of time to see if that would activate a file check. It did not. I was able to run a disk utility check. And in spite of the hung process it eventually said the drive was okay.
  Long story in a nutshell. My iMac is responding as if it is looking for a subprogram to complete its a function. Or it is attempting to finish the BlackBerry operation it began on Saturday. I hope this makes sense to someone and the know how I can restore functionality to my iMac.
  Thank you.

  I think the McAfee suite will do the trick when I pay them a one-time fee of $69 or $179 for a year for unlimited support.
  Your call of course but IMO a waste of money. Please read this first:
  There are many forms of ‘Malware’ that can affect a computer system, of which ‘a virus’ is but one type, ‘trojans’ another. Using the strict definition of a computer virus, no viruses that can attack OS X have so far been detected 'in the wild', i.e. in anything other than laboratory conditions. The same is not true of other forms of malware, such as Trojans. Whilst it is a fairly safe bet that your Mac has NOT been infected by a virus, it may have another security-related problem, but more likely a technical problem unrelated to any malware threat.
  You may find this User Tip on Viruses, Trojan Detection and Removal, as well as general Internet Security and Privacy, useful:
  https://discussions.apple.com/docs/DOC-2435
  The User Tip (which you are welcome to print out and retain for future reference) seeks to offer guidance on the main security threats and how to avoid them.
  More useful information can also be found here:
  http://www.reedcorner.net/mmg/

• ISR 3945 - SNMP trap set up to recieve option pings from ASR1006

  I am working on a set up : ISR 3945 - Receiving  option pings from another device (ASR) and sending a snmp trap (say ex: if a link down on a dial-peer ) to snmp server if those option ping fails.
  - Need inputs on SNMP config
  Thanks in advance.

  Hi.
  the easiest way is to get the snmp-server trap source command to work.
  when you say it's not working, do you mean the branches still use the external interface as the source? or that it's sourced properly from vlan1 but somehow doesn't get encrypted?
  what ios version are you running on the branches? maybe this is a bug and newer versions get it to work?
  if you want to through another way than snmp-server trap source, then an ipsec redesign might be needed. As you noticed dmvpn would be the easiest. another solution would be dynamic lan-to-lan from branch to headend with gre tunnels (similar to dmvpn), and then force the route to the management network via GRE, this way the snmp trap source would default to use the tunnel ip address.
  Regards,
  Fadi.

• How to allow ping from inside to outside in 2900 router?

  Hi,
  I have a Cisco router 2900 with firewall, i need to know how can i allow the ping from self zone to outside zone, i trried to create policy from self to outside but i still didn't allow ping or tracert, i get that message when i try to ping from cisco router:
  "Unrecognized host or address, or protocol not running"
  any help will be appreciated.
  Thank you

  Hi jcarvaja
  here is the used configuration:
  Building configuration...
  Current configuration : 5584 bytes
  ! Last configuration change at 09:00:20 UTC Tue Apr 9 2013 by admin
  version 15.1
  service timestamps debug datetime msec localtime show-timezone
  service timestamps log datetime msec localtime show-timezone
  no service password-encryption
  service udp-small-servers
  service tcp-small-servers
  service sequence-numbers
  hostname Router
  boot-start-marker
  boot-end-marker
  security authentication failure rate 3 log
  security passwords min-length 6
  no logging buffered
  no logging console
  enable secret 5
  no aaa new-model
  no ipv6 cef
  ip source-route
  ip gratuitous-arps
  ip icmp rate-limit unreachable 1
  ip cef
  ip name-server 163.121.128.134
  ip name-server 163.121.128.135
  ip port-map user-custom-fleet port tcp 2000 list 1
  multilink bundle-name authenticated
  crypto pki token default removal timeout 0
  crypto pki trustpoint TP-self-signed-324261422
  enrollment selfsigned
  subject-name cn=IOS-Self-Signed-Certificate-324261422
  revocation-check none
  crypto pki certificate chain TP-self-signed-324261422
  certificate self-signed 01
    30820229 30820192 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
    30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
    69666963 6174652D 33323432 36313432 32301E17 0D313330 34303930 38343034
    375A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
    532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3332 34323631
    34323230 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
    B8ABD60F 8C879B3B BC1C1643 48059AD2 F940A700 6D58161E 37D53E6E E028B806
    61EAA942 CED2A3C6 3FB3A47E 20E05B10 0941A9D8 38FFA6F9 D2B9E52C 225A57BA
    14F8842A A26E7E02 38E9F7C8 328504D0 5C3EEE41 CC75B237 BBD07CBA 1A850540
    2A5AAFAD 4553FB03 0E366211 9AC09967 4DC03082 0AF546A3 F6AA2739 1D8A8AA9
    02030100 01A35330 51300F06 03551D13 0101FF04 05300301 01FF301F 0603551D
    23041830 16801428 FEEB3910 B7A1D374 1F86BCD5 96CEDF75 8DF11E30 1D060355
    1D0E0416 041428FE EB3910B7 A1D3741F 86BCD596 CEDF758D F11E300D 06092A86
    4886F70D 01010405 00038181 006BBF7A 430905F6 D5B27B0D 96315504 87816DAA
    B5EA86D9 6E9A1D58 7B328C88 A6A358D0 00D035A9 8CDDEC41 15AF0108 F5CB1072
    B0485D7D CFC0D0CB 71E9B153 FB7B8B40 40C157E4 B254D01C 890D615F D8395545
    F0B47E0B 57341EB2 C0CE0039 DC18EAD6 078986F0 A5A5D04F D5041DB6 23CAA002
    4901248C 95B61A0B 3ED5B26A EF
        quit
  license udi pid CISCO2901/K9 sn FCZ1526C3JL
  object-group service Outside-Reply
  icmp echo-reply
  username admin privilege 15 secret 5
  redundancy
  ip finger
  ip tcp synwait-time 10
  ip ssh time-out 60
  ip ssh authentication-retries 2
  class-map type inspect match-any Deny_ALL
  match access-group name dwdwd
  class-map type inspect match-any Inside-Outside
  match protocol http
  match protocol https
  match protocol dns
  class-map type inspect match-any ICMP_RQST
  match protocol icmp
  policy-map type inspect Inside-Outside
  class type inspect Inside-Outside
    inspect
  class class-default
    drop
  policy-map type inspect Self_to_Outside
  class type inspect ICMP_RQST
    inspect
  class class-default
    drop
  policy-map type inspect Outside_to_Self
  class type inspect Deny_ALL
    pass log
  class class-default
    drop
  zone security IN
  zone security OUT
  zone-pair security Self_to_Outside source self destination OUT
  service-policy type inspect Self_to_Outside
  zone-pair security Outside_to_Self source OUT destination self
  service-policy type inspect Outside_to_Self
  zone-pair security Inside-Outside source IN destination OUT
  service-policy type inspect Inside-Outside
  interface GigabitEthernet0/0
  ip address 101.101.100.245 255.255.255.0
  ip mask-reply
  ip directed-broadcast
  ip flow ingress
  duplex auto
  speed auto
  interface GigabitEthernet0/1
  description $FW_INSIDE$
  ip address 49.31.152.80 255.255.255.248
  ip mask-reply
  ip directed-broadcast
  ip flow ingress
  zone-member security IN
  duplex auto
  speed auto
  interface Serial0/0/0
  no ip address
  ip mask-reply
  ip directed-broadcast
  ip flow ingress
  encapsulation frame-relay IETF
  no fair-queue
  frame-relay lmi-type q933a
  interface Serial0/0/0.16 point-to-point
  description $FW_OUTSIDE$
  ip address 172.17.18.122 255.255.255.252
  ip mask-reply
  ip directed-broadcast
  ip flow ingress
  ip verify unicast reverse-path
  zone-member security OUT
  frame-relay interface-dlci 16  
  interface Serial0/0/1
  no ip address
  ip mask-reply
  ip directed-broadcast
  ip flow ingress
  shutdown
  clock rate 2000000
  ip forward-protocol nd
  ip http server
  ip http access-class 2
  ip http authentication local
  ip http secure-server
  ip route 0.0.0.0 0.0.0.0 Serial0/0/0.16
  ip identd
  ip access-list extended ICMP
  remark CCP_ACL Category=128
  permit ip any any
  ip access-list extended deeef
  remark CCP_ACL Category=128
  permit ip any any
  ip access-list extended dwdwd
  remark CCP_ACL Category=1
  permit object-group Outside-Reply any any
  access-list 1 remark CCP_ACL Category=1
  access-list 1 permit 196.219.234.77
  access-list 2 remark Auto generated by SDM Management Access feature
  access-list 2 remark CCP_ACL Category=1
  access-list 2 permit 101.101.100.0 0.0.0.255
  access-list 2 permit 10.20.10.0 0.0.1.255
  no cdp run
  control-plane
  line con 0
  login local
  transport output telnet
  line aux 0
  login local
  transport output telnet
  line vty 0 4
  login local
  transport input all
  line vty 5 15
  login local
  transport input all
  scheduler allocate 20000 1000
  end

• Can't ping from DC1 behind TMG1 to DC2 behind TMG2 on a site-to-site VPN connection

  Hi,
  I have a weird problem. I have two TMG servers on each site in a hyper-v lab environment. I have been able to establish the site-to-site VPN successfully however when I ping from DC1 behind TMG1(on site 1) to TMG2, DC2, i am able to ping. However the opposite
  doesn't work. After some trial and error, I figured out that the one initiating the demand-dial request is able to ping the other site, not vice-versa..very strange. I would like to know whether ICMP requests could be achieved bi-directionally..
  Secondly, I am able to ping from TMG1 to all the clients sitting behind TMG2 (including the TMG host), however the clients sitting behind TMG1 can't ping TMG2 neither any of the clients behind it. I tried every possible combination under the firewall policies
  but of complete vain. hell, I am starting to develop a very bad feeling about this product because of making such simple tasks overly complex. I mean, if it were a Cisco or Sonicwall, we could have done this so easily. 
  What my final motive is to send LDAP requests from DC1 to DC2 and vice-versa over a site-to-site VPN so that I could set up 2 different sites in AD on different subnets and then proceed with configuring DAG. But if this simple thing turns out to be such
  major roadblock, dunno how am I gonna pass DAG traffic over it.
  Can someone PLEASE help me!! I am completely exhausted researching on this issue.
  Regards,
  Dman

  Hi，
  For site2site VPN, you must create proper network rule and network set and you need to create proper access rule to allow or deny the traffic between VPN network and any other network.
  http://technet.microsoft.com/en-us/library/bb838949.aspx
  Best Regards
  Quan Gu

• Recover an iMovie from a failed external drive?

  Has anyone been able to get an entire iMovie recovered from a failed external Firewire drive? My LaCie just won't power up despite having its light come on, and having other external drives connected through it to my iMac and working fine.
  I was about to do some backing up after finishing some edits on my latest iMovie, located on that drive. The edits were taking a longer time than usual, with spinning beach ball going on and on, so I decided to restart the Mac and see if that would speed things up. A restart resulted in a totally white screen for over 20 minutes, so I powered off with the switch, and powered on again with it a few minutes later. After three tries, including trying to boot from the installation disk, the iMac sprang to life again, and three of my external drives came on as usual, but not the La Cie that has my iPhotoLibraries and the iMovies I am working on. It is not a problem with power cords or the Firewire cables, as I swapped them out with the other drives, and everything works except this drive will not power up. Its light comes on, and the Firewire ports allow the other drive to come on, as this one is the one connected to the iMac, but the drive remains cold and quiet, just sits there with its blue light blinking.
  I just need it to power on long enough to transfer my data to another drive.
  I will settle for drive-recovery if that means I will get all my movies and photos back......anyone ever had to use a drive recovery service for this? If so, how did it work?
  I do have backups for the photos, but not all of them as I don't usually backup every day. The movies will have to be recreated I can do this, it will just take lots of time......
  not happy with this situation....any support/sympathy greatly appreciated!

  Beverly Maneatis wrote:
  .. The drive comes on and its light blinks, but does not progress to the drive powering up and the light becoming a solid nonblinking. ..
  sorry to contradict you, Bev, but the drive itself has no lights.. :
  (pic by wikipedia)
  THIS is your drive with your precious data .. no blinks ...
  ok, I'm a typically 'Tim Taylor/Home Improvement'-guy (incl. friends in hospital...), so maybe a daredevil about screwing things up/open (pun-taaaa). if you open the housing (usually 4 screws on bottom), you would see a power-supply, some small board for the interface electronics, a fan, some small board for some other electronics. and two cables: one with 4 cables (=power), one flat cable with ~20something wires (=data).. the drive is fixed with another four screws.. it is really dead easy, and you can not damage the drive itself, except you wear some angora and plastic sandals, to get some zillion of volts of static electricity into your fingertips ...
  so, if you find a nice PC-guy, ask him to place the drive into another housing (usb or fw.. doesn't matter...).. for a pro, that is a 5min procedure.. I'm pretty sure, it will work! < fingers crossed > < throwing ash over shoulder > < murmering some Hun's incantaion >

• Lync to Lync calls not working when users outside of network. But calls from Lync to external numbers do work.

  Hello,
  We are having the following issue: when our lync users are outside of our network, just connected to their home internet or a public WiFi  and not on VPN, they cannot place calls to other
  Lync users inside our network. They get a poor network connection message on the call window. But they are able to make calls from Lync to external numbers without a problem.
  Inside our network, Lync to Lync calls work perfectly fine, the same for calls from Lync to external numbers.
  Does anybody know what could be the cause of our issue? Perhaps I'm missing a setting on our Edge server. What should be the first thing I should check on my Lync servers?
  Thanks for any help!

  Have you opened up ports on your firewall from your internal clients to the edge on UDP/3478 and TCP/443?  This sounds like you might have a problem there.  Can you internal clients properly route to this subnet and resolve the pool name of your
  edge pool? 
  Ports and protocols poster, check out in A/V section client traffic to edge showing UDP/3478 and TCP/443:
  http://www.microsoft.com/en-us/download/details.aspx?id=39968 
  Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question please click "Mark As Answer".
  SWC Unified Communications
  This forum post is based upon my personal experience and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

• Can PING/ASDM/SSH to External IP but not to Internal IP on PIX itself

  We have two networks HQ and Site1 and for some reason we can’t ping the inside IP for Site1 PIX device. We have site-site-VPN set up between the two and everything works fine except we can’t ping the Site1 PIX from internal IP. However, I can ASDM/SSH in from HQ to the external IP of the Site1 PIX.
  HQ is using an ASA 5550 (172.1.0.1)
  PC from HQ (172.1.64.x)
  Site1 is using a PIX-515E (172.2.0.1)
  PC from Site1 (172.2.64.x)
  Ping from HQ PC to Site1 PC (172.1.64.x to 172.2.64.x) works fine
  Ping from Site1 PC to HQ PC (172.2.64.x to 172.1.64.x) works fine
  Ping from HQ PC to Site1 PIX internal IP (172.1.64.x to 172.2.0.1) doesn’t work
  Ping from HQ PC to Site1 PIX external IP (172.1.64.x to Site1 external IP) works fine
  ASDM/SSH from any HQ PC to Site1 PIX internal IP (172.1.64.x to 172.2.0.1) doesn’t work
  ASDM/SSH from any HQ PC to Site1 PIX external IP (172.1.64.x to Site1 external IP) works fine
  Everything was working fine until we recently changed the outside IP address for Site1 because we switch to a different ISP. Nothing changed on the HQ ASA or Site1 PIX other than the outside IP address on Site1 PIX. I did rebuild the site-to-site VPN tunnel between Site1 and HQ.
  Thanks first in advance for any ideas/suggestions.

  Thanks Julio for your reply. We are currently running PIX Version 8.0 (3) and yes we do have management-access inside configured.
  Cisco PIX Security Appliance Software Version 8.0(3)
  Device Manager Version 6.0(3)
  Hardware:   PIX-515E, 128 MB RAM, CPU Pentium II 433 MHz
  console timeout 0
  management-access inside
  threat-detection basic-threat
  threat-detection statistics access-list

• How to Create PR from exeternal SQL Server through IDOC

  Dear all,
  I am in trouble while creating PR from exeternal SQL Server through IDOC . although I have created PR from TCODE we19 giving input as well as from function writen below
  My scnerio is from external system(Sql) want to send data to sap to create PR return PR No to SQl Server
  Not having idea how to do
  Basic Type for Idoc : PREQCR01
  Message Type       : PREQCR
  Function Module    : BAP_Idoc_Input1
  Thanxs in Advance

  if you have XI installed,
  than it would be easy,
  just use JDBC channel->XI->SAP IDOC.
  otherwise,
  you can export the table from the SQL to CSV file,
  and import it with LSMW with IDOC PREQCR01.

• Ping from lower security interface to a higher

  Hello,
  I have a Cisco 5520 ASA firewall with a direct connection to a Checkpoint firewall.  On the inside network of my ASA i have a server that needs to ping a server on the dmz on the Checkpoint and vice versa.  So i have the correct routing and firewall rules on both devices.
  I can successfully ping from my server on the INSIDE interface on the cisco asa to the server on the DMZ on Checkpoint but i cant ping in the other direction.
  Q Is this because i am trying to go from a lower security interface on the asa to a higher one?
  I cant be sure if the error is on my asa or the checkpoint because neither is showing anything in the logs?
  Everything else on both firewalls is fine.
  regards,
  Kevin

  Hi,
  Its hard to tell what the actual problem is at the moment.
  With regards to the "security-level" value, the situation is if the interface doesn't have an ACL configured on it then traffic sourced from networks behind it will be allowed to networks located behind interfaces of lower "security-level". If the source interface for the direction that is not working doesnt hold an ACL and has lower "security-level" than the destination interface then you will have to configure an interface ACL to allow this traffic.
  Then again, the problem might be as simple as the server simply rejecting the ICMP Echo but allowing itself to ICMP Echo some remote destination and receive an Echo Reply for that. In other words, the server can ICMP remote hosts but wont accept ICMP Echo from remote hosts. It might reply to hosts on the directly connected network. So if there is no clear reason for the traffic to not go through I would consider checking the server software firewall.
  It might also be that the working direction has been configured with Dynamic PAT and there is no correct translation for the other direction to enable sending ICMP to the server.
  You can easily test the ASA configuration with the "packet-tracer" so that would be the first natural step to determening the reason of the problem or atleast narrowing it down.
  packet-tracer input icmp 8 0
  In the above command you would use the interface nameif behind which the ICMP Echo is coming from (8 0 = ICMP Echo). The source IP address is obvious. The destination IP address should be the NAT IP address of the server IF there is NAT being performed. If NO NAT is done for the destination then you naturally use the real IP address.
  Hope this helps
  - Jouni