cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
492
Views
3
Helpful
5
Replies

vpn client cant ping lan behind pix

ozgurg
Level 1
Level 1

Hello

i can not get my vpnclient ping the lan...

my vpn client is able to establish the vpn with pix ,

an ip is assigned to the client from the lan range...

when i try to ping the lan ,

i see packets get to pix with debug icmp trace,

i see the encrypt packet # increases int the vpn client stats,..

and on pix when i check

sh crypto ipsec sa, i see exactly the same # of packets as decrypted,

but the # of decrypted packets on vpn client, and so the number of encrypted packets on pix stays 0...

i configured nat 0 , and i see the access-lists take hits...

but in

sh crypto map output

i see the dynamic acl created does not take hits...

and

when i do

ping outside [vpn client ip] ,i can ping ????

and the dynamic acl gets hits, and i see the decrypted stats increase in vpn client...

am i missing sthg here ???

thank you in advance...

5 Replies 5

steven.wilson
Level 1
Level 1

From your message it seems that the vpn clients are getting an IP address that is part of your inside LAN. If this the case then, thats possibly where your problem lies. The PING comes onto the LAN through the PIX but on the return why would it leave the LAN that it thinks that it is part of. The source oand destination addresses are both on the LAN.

The solution that I put in place when i had this problem was to give the Clients IP addresses in a different pool and the route to them through the PIX. If this seems useful to you i will add the posible config.

Cheers,

Steve

you are right,

that was a routing problem...

i fixed it...

best regards

I am having the same problem. What was your fix?

jasobrown
Level 1
Level 1

Do you have an access-list on the inside interface? If so what does it look like?

Also do you have a router on the inside? Does it know how to get to the IP addresses of the Clients?

Regards,

Thanks for the reply. I am fairly new to the Pix. The current setup is this: I have a router on the inside, the Pix is providing IP addresses on the vpn Clients, along with Wins and DNS server IP values. I can ping the client from the inside but can not ping the any internal servers or workstations.

I do not have an access list on the inside. The internal router has a static route back to the Pix for the IP address range assigned to the VPN clients.

Thank you for your assistance.