Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2436
Views
0
Helpful
4
Replies

IPSec tunnel and ICMP

jdepies
Level 1
Level 1

‎01-14-2004 12:47 PM - edited ‎02-21-2020 01:00 PM

Hello,

I have an IPSec tunnel built between my main office and my remote office.

Everything works fine between the two offices, except I cannot ping the inside interface of either pix firewall when I am at the other office (i.e If I am at the remote site, I cannot ping the inside IP of the main office PIX...).

When I telnet into both PIXs, I cannot ping anything on the opposite side of the VPN tunnel.

Here is the config for the remote PIX:

PIX Version 5.1(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol smtp 25

fixup protocol sqlnet 1521

names

access-list 100 permit ip 192.168.XX.0 255.255.255.0 192.168.0.0 255.255.0.0

access-list nonat permit ip 192.168.XX.0 255.255.255.0 192.168.0.0 255.255.0.0

pager lines 24

logging on

no logging timestamp

no logging standby

no logging console

no logging monitor

no logging buffered

no logging trap

no logging history

logging facility 20

logging queue 512

interface ethernet0 10baset

interface ethernet1 10baset

mtu outside 1500

mtu inside 1500

ip address outside XX.XX.28.178 255.255.255.248

ip address inside 192.168.XX.1 255.255.255.0

arp timeout 14400

global (outside) 1 X.X.28.179

nat (inside) 0 access-list nonat

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

conduit permit icmp any any

route outside 0.0.0.0 0.0.0.0 X.X.28.177 1

timeout xlate 3:00:00 conn 1:00:00 half-closed 0:10:00 udp 0:02:00

timeout rpc 0:10:00 h323 0:05:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set strong esp-des esp-sha-hmac

crypto map XX 15 ipsec-isakmp

crypto map XX 15 match address 100

crypto map XX 15 set peer X.X.29.18

crypto map XX 15 set transform-set strong

crypto map XX interface outside

isakmp enable outside

isakmp key XXXXX address X.X.29.18 netmask 255.255.255.255 no-xauth no-config-mode

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash sha

isakmp policy 10 group 1

isakmp policy 10 lifetime 3600

telnet 192.168.XX.0 255.255.255.0 inside

telnet 192.168.XX.1 255.255.255.255 inside

telnet timeout 5

Here is the config on the MAIN office pix:

PIX Version 6.1(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

access-list 300 permit ip 192.168.0.0 255.255.0.0 192.168.XX.0 255.255.255.0

access-list nonat permit ip 192.168.0.0 255.255.0.0 192.168.XX.0 255.255.255.0

pager lines 23

logging on

interface ethernet0 10baset

interface ethernet1 10baset

mtu outside 1500

mtu inside 1500

ip address outside XX.XX.29.18 255.255.255.248

ip address inside 192.168.XX.99 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

http server enable

http 192.168.XX.148 255.255.255.255 inside

http 192.168.XX.3 255.255.255.255 inside

http 192.168.XX.144 255.255.255.255 inside

floodguard enable

sysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set strong esp-des esp-sha-hmac

crypto map XX 18 ipsec-isakmp

crypto map XX 18 match address 300

crypto map XX 18 set peer XX.XX.28.178

crypto map XX 18 set transform-set strong

crypto map XX interface outside

isakmp enable outside

isakmp key XXXXX address XX.XX.28.178 netmask 255.255.255.255 no-xauth no-config-mode

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash sha

isakmp policy 10 group 1

isakmp policy 10 lifetime 3600

telnet 192.168.XX.1 255.255.255.255 inside

telnet 192.168.XX.144 255.255.255.255 inside

telnet timeout 10

The reason I want to make sure the PIX on the remote end can communicate with machines on the other end the Tunnel, is because I am going to configure URL filtering with websense, and I want to make sure the request to the IP of my websense server (which is on the main office side) is available.

Thanks

Labels:
0 Helpful
4 Replies 4

mostiguy
Level 6
Level 6

‎01-14-2004 03:48 PM

The problems are:

you generally cannot ping the far side of a device that has multiple interfaces. this means you can ping it by the interface nearest you (its outside interface), but never any other.

from the pix, pinging remote machines, the ping source ip address is likely the outside interface's ip address. if this address is not included in the tunnel (most likely) it will not be able to ping those machines.

Try ping inside remote.host.ip.here , I think that will send the ping but with the soruce ip of the inside interface. That might work.

This is a good ICMP on Pixen reference

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml#topic3

0 Helpful

jdepies
Level 1
Level 1
In response to mostiguy

‎01-14-2004 04:09 PM

thanks for the reply.

I guess ultimately if the ping fails, its not a big deal, as long as the forwarded websense request can get to the websense server across the VPN, and the reply can get back to the originating PIX firewall across the VPN.

Do you think this is the case, or is all traffic blocked, not just ICMP.

Thanks

Jeff

0 Helpful

scoclayton
Level 7
Level 7

‎01-15-2004 12:56 PM

OK, three issues here as I see it. Let me attack them one at a time and see if this helps:

1. Cannot ping the inside of the remote PIX from a device on the other side of the tunnel.

A - This is the expected behavior. The PIX will not route packets back onto the same interface where they were originally received. Or, in other words, a packet must enter one interface and go out another interface. This is the same issue you can see by trying to ping the outside interface of your local PIX from a machine inside that PIX.

2. Cannot ping any remote devices from the local PIX console

A - This is a config error. Your config on your PIX's is only encrypting the internal traffic between the 2 subnets. If you want to source packets from one of the PIX's to the remote internal subnet, you need to add the PIX outside IP address to the crypto acl. Something like this:

remote PIX:

access-list 100 permit ip 192.168.XX.0 255.255.255.0 192.168.0.0 255.255.0.0

access-list 100 permit ip host XX.XX.28.178 192.168.0.0 255.255.0.0

access-list 100 permit ip 192.168.XX.0 255.255.255.0 host XX.XX.29.18

MAIN office PIX:

access-list 300 permit ip 192.168.0.0 255.255.0.0 192.168.XX.0 255.255.255.0

access-list 300 permit ip host XX.XX.29.18 192.168.XX.0 255.255.255.0

access-list 300 permit ip 192.168.0.0 255.255.0.0 host XX.XX.28.178

And finally, 3. Adding a websense config to the remote PIX to use a websense server at the MAIN office site

A - You can do this but I really do not recommend it. Due to latency across the VPN tunnel that you cannot control, the performance with this type of setup is most likely going to be less than desirable. But, if you do want to do this, you are going to need to make sure your crypto ACL's are enabled to allow the remote PIX outside IP address to send packets to the local subnet at the MAIN office (just like I demonstrated in #2 above). The PIX is going to craft a new packet sourced from the outisde interface and send it across the tunnel to the Websense server at the MAIN office site. If the response from the website comes back before the response from the websense server, the PIX can drop the packet from the website. This gives the illusion of poor performance when loading pages. You can configure the PIX to cache the responses pending the websense reply but this space is finite. So just be careful with this setup.

Hope this helps and good luck.

Scott

0 Helpful

jdepies
Level 1
Level 1
In response to scoclayton

‎03-01-2004 04:58 PM

Thanks Scott. I input the above commands on both routers, but I still cannot communicate across the VPN from the pix console.

I am trying to tftp the config from the pix to my PC's internal IP on the other end of the VPN tunnel, but it just fails. Pings also fail to internal IPs on the other end of each tunnel.

Jeff

0 Helpful
Customers Also Viewed These Support Documents