Re: Can not ping inside host

rjain · ‎07-19-2004

I have the follwoing scenario

VPN CLEINT--->PIX Firewall--->Router(internal) . I have my internal network on the same subnet as router and PIX but the default gaeway is the router for all the workstation and servers. VPN client can connect to PIX firewall but can not ping or RDP to servers or PC's. I have 10.10.2.0 my VPN client network while my internal network is 192.168.10.X .Pix be .253 and router be .254. How can I ping from internal router to VPN client or vpn client to servers.Please hlep me out.

Thanks

wisfaque · ‎07-19-2004

Hi there

so your pix has the defalt gateway as that of the router.

Make sure you have the following on the pix and the router:

pix:

----

access-list nat0 permit ip 192.168.10.0 mask 10.10.2.0 mask

access-list nat0 permit ip internal mask 10.10.2.0 mask

nat (inside) 0 access-list nat0

Also from waht I cound understand the PIXs inside IP is 192.168.10.253 and is connected to the router with 192.168.10.254. Now say the network behind the router is internal,

on the pix add routes as

route outside 10.10.2.0 mask default-gateway (pix)

route inside internal mask 192.168.10.254

ON the router:

--------------

1) Make sure you have No Nating for the VPN traffic

2) add a route as

ip route 10.10.2.0 mask 192.168.10.253

This should solve it. IN case if it doesn't, connect with the client and try and pass traffic and get the output of "sh cry ipsec sa" on the pix please.

Let us know how it goes:

Regards

Wakif

rjain · ‎07-20-2004

NO it did not work. I have my pix,router and internal network on the same subnet. When I tried to define the network 192.168.10.x on pix it did not take it as it is directly connected. Also on the PIX , the statment route outside 10.10.2.0 255.255.255.0 ?--> What address it has to be. Is the PIX outside or inside address. I defined the outside. I tried with inside one also but did not work.

Here is the outout of the show crypto ipsec sa.

interface: outside

Crypto map tag: mach1map, local addr. 140.99.111.98

local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

remote ident (addr/mask/prot/port): (10.10.2.1/255.255.255.255/0/0)

current_peer: 216.161.188.94

dynamic allocated peer ip: 10.10.2.1

PERMIT, flags={}

#pkts encaps: 102, #pkts encrypt: 102, #pkts digest 102

#pkts decaps: 93, #pkts decrypt: 93, #pkts verify 93

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: 140.99.111.98, remote crypto endpt.: 216.161.188.94

path mtu 1500, ipsec overhead 56, media mtu 1500

current outbound spi: a3ba4325

inbound esp sas:

spi: 0x4ab674dd(1253471453)

transform: esp-des esp-md5-hmac ,

in use settings ={Tunnel, }

slot: 0, conn id: 2, crypto map: mach1map

sa timing: remaining key lifetime (k/sec): (4607988/28327)

IV size: 8 bytes

replay detection support: Y

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0xa3ba4325(2746893093)

transform: esp-des esp-md5-hmac ,

in use settings ={Tunnel, }

slot: 0, conn id: 1, crypto map: mach1map

sa timing: remaining key lifetime (k/sec): (4607991/28321)

IV size: 8 bytes

replay detection support: Y

outbound ah sas:

outbound pcp sas:

It looks like the tunnel is setup but due to some reason i can't send the packet.

wisfaque · ‎07-20-2004

hello there

Say the PIXs outside IP is 200.1.1.1

On the pix add the route as

route outside 10.10.2.1 255.255.255.0 default gateway IP (from the 200.1.1. range)

On the router add the route

ip route 10.10.2.0 255.255.255.0 PIXs interface IP (the interface ip to which the router is connected)

Also see if there is ACL on applied on the router and also the "inside interface of the pix"

Hope this helps

Regards

wakif

rjain · ‎07-21-2004

I had that statement. I got resolved the problem. It was the firewall on remote site which was not passing the traffice. Thanks for the answer