Cannot Ping from vpn client to internal network

kjanakiraman · ‎10-04-2004

I have a cisco pix firewall 515 with 6.2 ios loaded.I have configured fro cisco vpn site to client access. I am able to connect to the pix firewall through vpn client and able to browse the web servers there using internal ip address but i cannot ping any of the internal systems. Can some one advice what i need to do.

Thanks in advance

a.awan · ‎10-04-2004

You mean you can browse the servers but cannot ping the same servers? Is there any access-list bound to the inside interface of the PIX?

kjanakiraman · ‎10-04-2004

We were using conduit before and everything worked fine. Now i changed everything to access-list. I am not able to ping from my internal systems to any system outside the firewall.

I have opened port 80 for my web server as below

access-list acl_out permit tcp any host x.x.x.x1 eq www

access-group acl_out in interface outside

The web server is working from outside but when i give

access-list acl_out permit icmp any host x.x.x.x1

the web server is not being able to ping from outside

By default pix permit ping from inside to outside (which i believe) but i am not able to ping any system outside the firewall even the ethernet interface of the router.

For vpn i have created an access-list

access-list 108 permit ip 192.168.1.0 255.255.255.0(inside network) 192.168.9.0 255.255.255.0(vpn pool)

nat (inside) 0 access-list 108

to make that traffic not to translate, but could not ping from my external system using vpn client but when i browse the same web site or the mail server by the internal ip address the web site and the mail server opens fine.

gaban · ‎10-04-2004

try this icmp acl

access-list acl_out permit icmp any host x.x.x.x1 echo-reply

kjanakiraman · ‎10-05-2004

I tried but still i am getting a request timedout when pining x.x.x.x1 from outside. when i give sh access-list acl_out, the hit count for access-list acl_out permit icmp any host x.x.x.x1 echo-reply is showing 0 though i gave a continous ping from outside

ehirsel · ‎10-04-2004

Is stateful firewall active on the vpn client? Validate by bringing up the vpn client gui interface (it's either ipsecdialer.exe or vpngui.exe). I assume that you are running the vpn client on the ms win platform - let me know if this is not the case.

Select options off of the menu bar and look if stateful firewall is active.

If it is open up the vpnclient.ini file and you may need to add or modify this statement in the [main] section:

StatefulFirewallAllowICMP=

Change the value to 1, I believe that 0 is the default. The 1 value will allow the icmp to cross the firewall.

I believe that this only takes effect when the stateful firewall is active, but even if it is not, you may want to make the change anyway and attempt the ping.

Also check these:

On the firewall check to see if it allows icmp between the clients and the inside servers. Do you have the sysopt permit-ipsec option enabled on the PIX? If not, then insure that you allow the icmp echo from the vpn client subnet to the inside network - you do this by coding an acl entry on the interface that terminates the vpn connections.

In some cases you may need to allow the echo-reply on the interface towards the internal network to allow the reply back from the inside network even if you allow the echo from the vpn client.

Let me know if you need more help.

kjanakiraman · ‎10-04-2004

The statefull option is not active and the ping was working till the other day when i had conduit statement on the firewall, now i replaced all the conduit statement with access-list and after which i am not able to ping from inside my network to any where outside the firewall even to the cisco router, though ping is allowed by default from inside