04-28-2008 06:08 PM - edited 03-09-2019 08:36 PM
Hi everyone,
We have a IPSec tunnel to the head office. Our local address pool is 10.0.0.0/24. In the router, when I ping a remote server (ping 192.168.1.1) it doesn't work. But when I ping with the source interface (bvi1 = 10.0.0.1/24), it works: ping 192.168.1.1 source bvi1.
Could you please tell me the difference between the two commands? And why can't I ping in the normal way? If a computer is in the 10.0.0.0/24 subnet, can it ping the remote server?
Thank you,
Triet
Solved! Go to Solution.
04-29-2008 02:39 AM
It all depends what is in your crypto access-list. So if your crypto access-list reads something like
access-list 101 permit ip 10.0.0.0 0.0.0.255 192.168.1.0 0.0.0.255 ( Router version )
or
access-list vpntraffic permit ip 10.0.0.0 255.255.255.0 192.168.1.0 255.255.255.0 (Pix version )
then you need to generate the ping with a source IP address in the 10.0.0.x range. When you ping from the router without specifying the source interface the router will use it's outside interface. If the IP address of this outside interface is not in your crypto map access-list then it will not work.
Jon
04-29-2008 02:39 AM
It all depends what is in your crypto access-list. So if your crypto access-list reads something like
access-list 101 permit ip 10.0.0.0 0.0.0.255 192.168.1.0 0.0.0.255 ( Router version )
or
access-list vpntraffic permit ip 10.0.0.0 255.255.255.0 192.168.1.0 255.255.255.0 (Pix version )
then you need to generate the ping with a source IP address in the 10.0.0.x range. When you ping from the router without specifying the source interface the router will use it's outside interface. If the IP address of this outside interface is not in your crypto map access-list then it will not work.
Jon
04-30-2008 07:09 PM
Thank you Jon. That's very clear explanation.
Triet
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide