Re: ping inside i/f of PIX from far end of ipsec tunnel

patrick.peters · ‎04-11-2002

Hi. I've got a PIX-to-PIX IPSEC tunnel set up between a 506 and a 515. We run OpenView NNM and it's wanting to enumerate the interfaces on the far end PIX. Life is good until OpenView tries to ping the inside interface of the distant PIX--it won't answer. I have turned on icmp trace debug on the distant PIX and I can verify that the echo request packets are arriving, but the PIX doesn't answer. I see no log messages about these echo requests, so it's not like the security policy is getting in the way (or at least I'm not seeing log messages about refusing to answer the ping request).

Has anyone managed to get this to work?

Thanks!

Pat

beth-martin · ‎04-17-2002

Not possible. The PIX will not reply to a PING from outside, even through a tunnel. One reason, the PIX can’t route/redirect off the same interface. You should be able to ping beyond that interface without a problem.

kva · ‎04-24-2002

Hi Pat.

One way to solve the managment problem is to add the remote PIX outside IP address in the VPN tunnel. When you have done that you vil be able to access this IP address via the tunnel, thus being able to ping / telnet the PIX.

Keld

patrick.peters · ‎04-25-2002

We have already added the outside interface of the PIX to the tunnel and we can ping that without a problem.

I guess the real issue here is that Network Node Manager (NNM) sees the PIX as a router and it gets upset when it can't talk to one of that router's interfaces. We have found an ugly work around by telling NNM not to attempt to manage the inside interface. This keeps NNM from declaring a problem with the PIX. Then we define the inside network in NNM by hand and things seem to work. It's just not as automatic as it could be.

Pat