Ping across a VPN tunnel

bth_dad · ‎09-14-2004

I have a VPN tunnel up between a Pix 501 (I own) and a Cisco router (owned by another company). We want a way to verify we can get to specfic devices on the other side of the tunnel. Pings fail and when I do a traceroute the last hop is the router before my Pix. I see the traffic go across the tunnel, however, so I know that the routing of the networks is correct. Is there something I need to do to allow pings across this tunnel and to have the Pix respond as a hop in my traceroute?

access-list outside_cryptomap_20 permit ip 209.XX.254.0 255.255.254.0 object-group XXX

access-list outside_cryptomap_20 permit icmp any any

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 3600

crypto map outside_map 20 ipsec-isakmp

crypto map outside_map 20 match address outside_cryptomap_20

crypto map outside_map 20 set pfs group2

crypto map outside_map 20 set peer XXX.XX.7.164

crypto map outside_map 20 set transform-set ESP-3DES-SHA

crypto map outside_map interface outside

Thanks,

Todd

aacole · ‎09-15-2004

Todd,

You should be able to ping across the tunnel so long as non of the devices are configured to drop the echo packets. Can you ping the inside interface of the PIX?

If you traceroute to an Internet site (not across the VPN) does the PIX address appear in the output?

Andy

a.awan · ‎09-15-2004

The first thing to verify is whether the IPSec tunnel is up or not. You have provided a partial configuration of the PIX. Can you provide the full configuration so all the required commands can be verified. It might also be helpful to get the configuration of the remote router.

As an informational note do verify that the traffic between the sites (over the tunnel) should not prevented from being NATTED on the PIX and the router (if NAT is in effect there)