Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
661
Views
0
Helpful
3
Replies

Can't ping VPN router

database
Level 1
Level 1

‎02-18-2002 10:56 AM - edited ‎02-21-2020 11:36 AM

I have set up a site to site VPN on an 827 router to a Netscreen firewall. The VPN works fine, I can ping from one private network to the other. However, when telnetted into the 827 router, I cannot ping hosts at the other end of the VPN, also I cannot ping the 827 routers private IP address(ethernet 0) from behind the Netscreen. I CAN ping the routers public IP address (ATM0)

Any ideas ?

Labels:
0 Helpful
3 Replies 3

MATT HILL
Level 1
Level 1

‎02-19-2002 02:46 PM

Is all other traffic getting through?

Do your access-lists at either end define ICMP as interesting or allowed traffic?

0 Helpful

database
Level 1
Level 1
In response to MATT HILL

‎02-20-2002 01:12 AM

If you mean through the VPN, then yes. e.g. from a PC behind the 827, I can connect to any PC behind the firewall, not just ping but telnet and all other traffic.

Here is the 827 config for you to look at.

Current configuration : 2772 bytes

!

version 12.1

no service single-slot-reload-enable

no service pad

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname kinrtr01

!

logging rate-limit console 10 except errors

enable secret 5 $1$8Kna$x/WbzzqIZLg3nEF6SWuxC.

!

username admin password 7 044F02020E2D

clock timezone GMT 0

mmi polling-interval 60

mmi auto-configure

no mmi pvc

mmi snmp-timeout 180

ip subnet-zero

no ip finger

ip name-server 158.43.240.4

ip name-server 158.43.240.3

!

ip inspect name myfw cuseeme timeout 3600

ip inspect name myfw ftp timeout 3600

ip inspect name myfw h323 timeout 3600

ip inspect name myfw http timeout 3600

ip inspect name myfw rcmd timeout 3600

ip inspect name myfw realaudio timeout 3600

ip inspect name myfw smtp timeout 3600

ip inspect name myfw sqlnet timeout 3600

ip inspect name myfw streamworks timeout 3600

ip inspect name myfw tcp timeout 3600

ip inspect name myfw udp timeout 3600

ip inspect name myfw vdolive timeout 3600

no ip dhcp-client network-discovery

!

!

crypto isakmp policy 1

authentication pre-share

group 2

lifetime 28800

crypto isakmp key un1tedh0use address 195.x.x.x 255.255.255.240

crypto ipsec transform-set to_swanley esp-des esp-sha-hmac

!

crypto map to_swanley 1 ipsec-isakmp

set peer 195.x.x.x

set transform-set to_swanley

match address 115

!

!

!

!

interface Ethernet0

ip address 10.130.0.1 255.255.0.0

ip access-group 101 in

ip inspect myfw in

no ip mroute-cache

hold-queue 32 in

!

interface ATM0

no ip address

no ip mroute-cache

no atm ilmi-keepalive

pvc 0/16 ilmi

pvc 0/38

encapsulation aal5mux ppp dialer

dialer pool-member 1

!

bundle-enable

dsl operating-mode auto

hold-queue 224 in

!

interface Dialer1

ip address 62.x.x.x 255.255.255.248

ip access-group 102 in

encapsulation ppp

dialer pool 1

dialer-group 1

ppp authentication chap pap callin

ppp chap hostname XXXXXXX

ppp chap password 7 00031A0A0B541F0715

ppp pap sent-username XXXXX password 7 00031F0A0B541F0715

crypto map to_swanley

!

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer1

ip http server

access-list 101 permit ip 10.130.0.0 0.0.255.255 any

access-list 101 permit ip 10.10.0.0 0.0.255.255 10.130.0.0 0.0.255.255

access-list 101 permit ip host 62.x.x.x any

access-list 102 permit ip 10.10.0.0 0.0.255.255 any

access-list 102 permit ip host 195.x.x.x any

access-list 115 permit ip 10.130.0.0 0.0.255.255 10.10.0.0 0.0.255.255

access-list 120 permit ip 10.130.0.0 0.0.255.255 any

dialer-list 1 protocol ip permit

snmp-server manager

!

line con 0

exec-timeout 120 0

login local

transport input none

stopbits 1

line vty 0 4

exec-timeout 0 0

login local

length 0

!

scheduler max-task-time 5000

end

0 Helpful

hand
Level 1
Level 1

‎03-04-2002 11:10 AM

You cannot ping the hosts because when you use the standard ping, the source address is the address of the egress interface, so you do not get a hit on the access list as the access list is set up to filter packets from the LAN side for tunneling across the VPN. List 115 permits packets from 10.130.x.x to 10.10.x.x (implied deny all at the end)so a standard ping, which has a source address of 65.x.x.x, will be denied by the access list. Try using the extended ping, e.g.

ping and follow the prompts- when you are asked for the source address, specify an address on the LAN-that should work!

0 Helpful
Customers Also Viewed These Support Documents