02-17-2009 03:16 AM
Hi,
I setup a site-to-site VPN between a router and a PIX. The tunnel is up and I can access both sites when ping from users connected LAN (both sites). The issue is when I login to the router console, then from their I can't ping the other site but when i issue this command "PING 2.2.2.1 SOURCE 1.1.1.1" it is successful. By using this command "PING 2.2.2.1" it is not successful.
I need this for the VoIP configuration.
dial-peer voice 4001 voip
destination-pattern 1..
voice-class h323 1
session target ipv4:2.2.2.2
dtmf-relay h245-alphanumeric
codec g711ulaw
Voice gateway resides at LAN B.
Network Topology.
LAN-A<-->ROUTER<-- WAN --->PIX<--> LAN-B
LAN A network: 1.1.1.x/24
LAN B network: 2.2.2.x/24
02-17-2009 04:10 AM
Hello,
I'm going to guess why this without seeig the full config....
The difference between the two situations is that when you type "PING 2.2.2.1" the packet doesn't match the VPN ACL and therefore is sent out onto the internet in plain text with a source IP of your outside interface.
When you type "PING 2.2.2.1 SOURCE 1.1.1.1" the traffic will now match the VPN ACL and is encrypted and sent down the tunnel.
02-17-2009 04:25 AM
Thank you for your reply JamesLuther .
I am thinking this way as well. Now, I am searching if I can change the source of ICMP. In telnet I can change the source by using this syntax "ip telnet source-interface INTERFACE_NAME" but for ICMP there is none. Any other solution for this?
02-17-2009 04:46 AM
Hello,
I'm not sure that this is possible. Am I right in saying that this is needed as the router is doing voip as well as VPN?
I don't know exactly what you setup is or what you're trying to achieve but you might find configuring a IPSec/GRE tunnel will solve this issue. That way you can explicitly route all traffic for 2.2.2.2 towards the Tunnel interface regardless of the source IP.
Google "ipsec gre tunnel site:cisco.com" for some documents on how to configure this.
Let me know if this helps.
Thanks
02-17-2009 04:59 AM
You mean that i will do port forwarding under PIX and configure IPSec/GRE between LAN A Router & LAN B VG Router?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide