Re: Unable to ping from site A to site B

ciscomoon · ‎10-08-2008

Hi

I have created a VPN tunnel between sitea and siteb. But unable to ping inside interfaces for both sites.

Could you please suggest what to do. When i look up the PDM page on both Sites PIX 501 its Showing.

=========================================

VPN STATUS

Ike Tunnels 1 Ipsec Tunnels 1

=========================================

Please see attached config.

Thanks

ajagadee · ‎10-08-2008

Hi,

You need to configure "management-access inside" to access the inside interface of the Pix through the IPSEC Tunnel.

http://www.cisco.com/en/US/docs/security/pix/pix63/command/reference/mr.html#wp1137951

Regards,

Arul

** Please rate all helpful posts **

ciscomoon · ‎10-09-2008

I cannot ping from siteA to siteB.

I have tried still doesnt work.

Any reason

mike_guy29 · ‎10-09-2008

Hi,

Quick flick through there are several things wrong. Firstly access lists configured on A appear to be wrong (11.1177.190 is not a valid IP address) secondly the outbound access list is not applied to an interface.

Secondly the Outbound access list (applied on inside interface) will need to contain the IP address of the remote internal network. e.g. access-list outbound permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0. Same with the access list on B. It is not applied to interface and needs reconfiguring.

I have not checked the cryptomap config etc as the fact you got the tunnels up it seems to be working.

Thanks

ciscomoon · ‎10-10-2008

Thanks for reply. I have tried still same problem. One thing i forget to tell. I can ping from command prompt to remote PCS, but i am unable to ping 192.168.0.1 and 192.168.1.0 remotely.

When i try to ping from the PDM -Tools-PING unable to ping any remote pcs. Do you thing is to do with PDM version. I am using currently PDM 3.0

Thanks

mike_guy29 · ‎10-10-2008

Hi,

Would you be able to post the new current config. Could you also just clarify exactly what it is you are trying to ping from where. I am a bit lost!

I very much doubt its to do with the version of PDM though no.

Thanks

ciscomoon · ‎10-11-2008

Hi Thanks for reply

I am trying to ping from PDM GUI page. It has an option of PING in TOOLS tab. Please see attached image.

mike_guy29 · ‎10-11-2008

Hi,

So (correct me if I am wrong) the VPN tunnels ARE working. And you can ping from PCs on the subnets across the VPN to PCs on the other subnets. It is just pinging from the PIX to the other PIX through the GUI?

If this is the case it could be to do with the IP address the pings are coming from. You can select which address to source the pings from. Have you tried changing this? It could well be sending the pings out but using an IP address that will not be sent across the VPN tunnel.

I would clear the crypto SAs and then initialise some pings etc. Run the command "show crypto ipsec sa" and it will give you information on the number of packets encrypts and decrypts etc. If these counters are not increasing the traffic is not going over the VPN tunnels and it is likely to be a problem with something such as an access list.

Thanks

ciscomoon · ‎10-11-2008

Please site A config

thanks