https://community.cisco.com/t5/network-security/can-not-ping-pix-inside-interface/m-p/43928#M686405 <P></P><P>Hi,</P><P></P><P>I have pix 6.1 firewall in the corporate office,</P><P></P><P>I have pix 3.1 client in the remote network,</P><P></P><P>I have setup the VPN access,</P><P></P><P>I am able to connect to the pix from the remote network and be able to ping outside ip address of the PIX,</P><P></P><P>I am not able to ping the inside IP address of the PIX.</P><P></P><P>here is the configuration</P><P></P><P>isakmp enable outside</P><P>sysopt connection permit-ipsec</P><P>isakmp policy 8 authentication pre-share</P><P>isakmp policy 8 encr des</P><P>isakmp policy 8 hash md5</P><P>isakmp policy 8 group 2 </P><P>isakmp key "password this you know" address 0.0.0.0 netmask 0.0.0.0</P><P>ip local pool amapool 10.10.11.1-10.10.11.254</P><P>access-list 101 permit ip 10.0.0.0 255.0.0.0 10.10.11.0 255.255.255.0</P><P>nat (inside) 0 access-list 101</P><P>crypto ipsec transform-set mytrans esp-des esp-sha-hmac</P><P>crypto dynamic-dynmap 10 set transform-set mytrans</P><P>crypto map remote 10 ispec-isakmp dynamic dynmap</P><P>vpngroup amaxbot address-pool amapool</P><P>vpngroup amaxbot password (this you know)</P><P>vpngroup amaxbot idle-time 1800</P><P>crypto map remote interface outside</P><P></P><P></P><P></P><P>any suggestions,</P><P></P><P>Thanks,</P><P></P><P>Raul</P> Fri, 21 Feb 2020 05:57:12 GMT ssvrao 2020-02-21T05:57:12Z https://community.cisco.com/t5/network-security/can-not-ping-pix-inside-interface/m-p/43928#M686405 <P></P><P>Hi,</P><P></P><P>I have pix 6.1 firewall in the corporate office,</P><P></P><P>I have pix 3.1 client in the remote network,</P><P></P><P>I have setup the VPN access,</P><P></P><P>I am able to connect to the pix from the remote network and be able to ping outside ip address of the PIX,</P><P></P><P>I am not able to ping the inside IP address of the PIX.</P><P></P><P>here is the configuration</P><P></P><P>isakmp enable outside</P><P>sysopt connection permit-ipsec</P><P>isakmp policy 8 authentication pre-share</P><P>isakmp policy 8 encr des</P><P>isakmp policy 8 hash md5</P><P>isakmp policy 8 group 2 </P><P>isakmp key "password this you know" address 0.0.0.0 netmask 0.0.0.0</P><P>ip local pool amapool 10.10.11.1-10.10.11.254</P><P>access-list 101 permit ip 10.0.0.0 255.0.0.0 10.10.11.0 255.255.255.0</P><P>nat (inside) 0 access-list 101</P><P>crypto ipsec transform-set mytrans esp-des esp-sha-hmac</P><P>crypto dynamic-dynmap 10 set transform-set mytrans</P><P>crypto map remote 10 ispec-isakmp dynamic dynmap</P><P>vpngroup amaxbot address-pool amapool</P><P>vpngroup amaxbot password (this you know)</P><P>vpngroup amaxbot idle-time 1800</P><P>crypto map remote interface outside</P><P></P><P></P><P></P><P>any suggestions,</P><P></P><P>Thanks,</P><P></P><P>Raul</P> Fri, 21 Feb 2020 05:57:12 GMT https://community.cisco.com/t5/network-security/can-not-ping-pix-inside-interface/m-p/43928#M686405 ssvrao 2020-02-21T05:57:12Z https://community.cisco.com/t5/network-security/can-not-ping-pix-inside-interface/m-p/43929#M686416 <HTML><HEAD></HEAD><BODY><P>By default you cannot ping the opposite side of the pix.</P><P></P><P>Inside users can ping the inside interface but not the outside and vice versa.</P><P></P><P>Although you are coming through a vpn, it is still from outside and same rules apply.</P><P></P><P>Also</P><P>As you are using the unified client, the wildcard isakmp key line is not required. The client connects using the group name amaxabot and the password specified in the vpngroup statement.</P></BODY></HTML> Tue, 15 Jan 2002 12:40:11 GMT https://community.cisco.com/t5/network-security/can-not-ping-pix-inside-interface/m-p/43929#M686416 turnbull 2002-01-15T12:40:11Z https://community.cisco.com/t5/network-security/can-not-ping-pix-inside-interface/m-p/43930#M686480 <HTML><HEAD></HEAD><BODY><P></P><P>Hi,</P><P></P><P>In addition to not being able to ping inside interface IP address, I was not able ping any machine which has an IP address in the inside address range of PIX.</P><P></P><P>In other words I was not able to ping any machine in their LAN.</P><P></P><P>Now I think I have solved it, I have added the manual route to the inside interface in my client, with metric 2.</P><P></P><P>Now I am able to ping machines which are inside the pix interface range.</P><P></P><P>Thanks,</P><P>Raul</P><P> </P></BODY></HTML> Tue, 15 Jan 2002 19:58:34 GMT https://community.cisco.com/t5/network-security/can-not-ping-pix-inside-interface/m-p/43930#M686480 ssvrao 2002-01-15T19:58:34Z