10-04-2004 09:10 AM - edited 02-21-2020 01:22 PM
I have a cisco pix firewall 515 with 6.2 ios loaded.I have configured fro cisco vpn site to client access. I am able to connect to the pix firewall through vpn client and able to browse the web servers there using internal ip address but i cannot ping any of the internal systems. Can some one advice what i need to do.
Thanks in advance
10-04-2004 10:03 AM
You mean you can browse the servers but cannot ping the same servers? Is there any access-list bound to the inside interface of the PIX?
10-04-2004 11:30 AM
We were using conduit before and everything worked fine. Now i changed everything to access-list. I am not able to ping from my internal systems to any system outside the firewall.
I have opened port 80 for my web server as below
access-list acl_out permit tcp any host x.x.x.x1 eq www
access-group acl_out in interface outside
The web server is working from outside but when i give
access-list acl_out permit icmp any host x.x.x.x1
the web server is not being able to ping from outside
By default pix permit ping from inside to outside (which i believe) but i am not able to ping any system outside the firewall even the ethernet interface of the router.
For vpn i have created an access-list
access-list 108 permit ip 192.168.1.0 255.255.255.0(inside network) 192.168.9.0 255.255.255.0(vpn pool)
nat (inside) 0 access-list 108
to make that traffic not to translate, but could not ping from my external system using vpn client but when i browse the same web site or the mail server by the internal ip address the web site and the mail server opens fine.
10-04-2004 01:24 PM
try this icmp acl
access-list acl_out permit icmp any host x.x.x.x1 echo-reply
10-05-2004 04:24 AM
I tried but still i am getting a request timedout when pining x.x.x.x1 from outside. when i give sh access-list acl_out, the hit count for access-list acl_out permit icmp any host x.x.x.x1 echo-reply is showing 0 though i gave a continous ping from outside
10-04-2004 10:14 AM
Is stateful firewall active on the vpn client? Validate by bringing up the vpn client gui interface (it's either ipsecdialer.exe or vpngui.exe). I assume that you are running the vpn client on the ms win platform - let me know if this is not the case.
Select options off of the menu bar and look if stateful firewall is active.
If it is open up the vpnclient.ini file and you may need to add or modify this statement in the [main] section:
StatefulFirewallAllowICMP=
Change the value to 1, I believe that 0 is the default. The 1 value will allow the icmp to cross the firewall.
I believe that this only takes effect when the stateful firewall is active, but even if it is not, you may want to make the change anyway and attempt the ping.
Also check these:
On the firewall check to see if it allows icmp between the clients and the inside servers. Do you have the sysopt permit-ipsec option enabled on the PIX? If not, then insure that you allow the icmp echo from the vpn client subnet to the inside network - you do this by coding an acl entry on the interface that terminates the vpn connections.
In some cases you may need to allow the echo-reply on the interface towards the internal network to allow the reply back from the inside network even if you allow the echo from the vpn client.
Let me know if you need more help.
10-04-2004 12:51 PM
The statefull option is not active and the ping was working till the other day when i had conduit statement on the firewall, now i replaced all the conduit statement with access-list and after which i am not able to ping from inside my network to any where outside the firewall even to the cisco router, though ping is allowed by default from inside
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide