Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
614
Views
5
Helpful
4
Replies

Lab Environment, IPSEC VPN Works, but cant ping Interfaces

Go to solution
roblyon
Level 1
Level 1

‎11-17-2004 05:52 PM - edited ‎02-21-2020 01:27 PM

Hi guys

I would appreciate a hand with a problem i am having with a setup in a lab environment. Im sure there is something really simple i have missed.. perhaps you know what it is.

The basic problem is this, from a host in "Location A" i can ping any host in "Location B" thru a standard ipsec vpn except the inside interface of the remote pix i am connected to via vpn. I am unable to ping/open PDM to the inside interface of "Location A" from a host in "Location B", i am also unable to ping/open PDM to inside interface of "Location B" from a host in "Location A".

Here is the network structure

(HOST A)---(PIX501)----(PIX515)---(HOST B)

If you could have a look at the configs that would be great.

http://users.tpg.com.au/roblyon/501.txt

http://users.tpg.com.au/roblyon/515.txt

Thanks

Rob

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
scoclayton
Level 7
Level 7
In response to roblyon

‎11-17-2004 08:19 PM

In versions prior to 6.3, the behavior you report was not allowed by design. This follows the same logic that prevents you from pinging the outside interface of the PIX at location A from a host inside the PIX at location A. In general, a packet needs to have a different egress and ingress interface. When you try pinging a remote interface on a PIX, the packet never actually gets to the send buffer on the remote interface. Therefore, it is disallowed.

Now, with that said...we have a solution in the 6.3 version of code (as you may have guessed from my earlier statement). Take a look at the "management-access " command. This allows for certain functions to the inside interface of the remote PIX *if* the traffic comes across an IPSec tunnel.

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/mr.htm#wp1137951

Hope this helps.

Scott

View solution in original post

4 Replies 4

Go to solution
Patrick Iseli
Level 7
Level 7

‎11-17-2004 06:54 PM

Here is an example configuration for the PDM access over a VPN.

Accessing the PDM from an Outside Interface Over a VPN Tunnel:

http://www.cisco.com/en/US/products/sw/netmgtsw/ps2032/products_configuration_example09186a0080094497.shtml

Handling ICMP Pings with the PIX Firewall:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml

There are two kind of methods to permit pings:

a.) Access-list permit icmp's that travels interfaces

b.) " icmp permit .." on the same interface, permits for example inside users to ping the inside interface.

I do not think it is possible to ping the inside interface from the VPN Peer, but I have not tested that.

What are the syslog messages on PIX ?

sincerely

Patrick

0 Helpful

Go to solution
roblyon
Level 1
Level 1
In response to Patrick Iseli

‎11-17-2004 07:33 PM

hi patrick,

thanks for your reply.

i dont think the problem lies with the icmp permissions in my case as in my config i have set both pix's to permit all incoming icmp traffic to any.

i have noticed that i need to add

http 10.2.1.0 255.255.255.0 outside (515) and

http 10.1.1.0 255.255.255.0 outside (501)

however, this still doesnt work, and there is a fundamental routing issue going on here.

if i have all icmp traffic open, and the vpn connection live, why would i not be able to ping the inside interface of eith pix from a remote point.

doesnt make any sence, i just cant figure it out.

thanks

rob

0 Helpful

Go to solution
scoclayton
Level 7
Level 7
In response to roblyon

‎11-17-2004 08:19 PM

In versions prior to 6.3, the behavior you report was not allowed by design. This follows the same logic that prevents you from pinging the outside interface of the PIX at location A from a host inside the PIX at location A. In general, a packet needs to have a different egress and ingress interface. When you try pinging a remote interface on a PIX, the packet never actually gets to the send buffer on the remote interface. Therefore, it is disallowed.

Now, with that said...we have a solution in the 6.3 version of code (as you may have guessed from my earlier statement). Take a look at the "management-access " command. This allows for certain functions to the inside interface of the remote PIX *if* the traffic comes across an IPSec tunnel.

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/mr.htm#wp1137951

Hope this helps.

Scott

Go to solution
roblyon
Level 1
Level 1
In response to scoclayton

‎11-17-2004 08:39 PM

Hi Scott,

Thanks for your reply. It answered my question about why it would not work ;), i will check out the link you have provided.

thanks also to partick for your time.

cheers

rob

0 Helpful
Customers Also Viewed These Support Documents