1. Home
  2. Cisco Systems
  3. Ping does not work inside the VPN tunnel

Ping does not work inside the VPN tunnel

Hi there,

I am trying to set up a VPN-tunnel on an internal network. I have two PIX 501. But I can not get any communication between the two =E2=80=9Cgreen/internal=E2=80=9D networks to work.

PIX A: Local(inside) IP: 192.168.1.11/24 Outside IP: 10.0.0.11/24

PIX B: Local(inside) IP: 192.168.2.12/24 Outside IP: 10.0.0.12/24

I have made a Site-to-Site VPN tunnel:

10.0.0.11 =EF=83=9F---=EF=83=A0 10.0.0.12 The tunnel seems to work (VPN light it on).

There are servers on the inside LAN on both PIX-firewalls, but they can not ping each other. What have I missed=E2=80=A6 some thing about routing?

PIX A: Building configuration... : Saved : PIX Version 6.3(5) interface ethernet0 auto interface ethernet1 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password 8Ry2YjIyt7RRXU24 encrypted passwd RLPMUQ26KL4blgFN encrypted hostname PIX2 domain-name ciscopix.com clock timezone CEST 1 clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00 fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names access-list inside_outbound_nat0_acl permit ip any any access-list outside_cryptomap_20 permit ip any any pager lines 24 mtu outside 1500 mtu inside 1500 ip address outside 10.0.0.12 255.255.255.0 ip address inside 192.168.2.12 255.255.255.0 ip audit info action alarm ip audit attack action alarm pdm location 192.168.2.0 255.255.255.0 inside pdm location 192.168.3.0 255.255.255.0 inside pdm location 192.168.1.0 255.255.255.0 inside pdm location 192.168.1.0 255.255.255.0 outside pdm logging informational 100 pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list inside_outbound_nat0_acl nat (inside) 1 0.0.0.0 0.0.0.0 0 0 route outside 192.168.1.0 255.255.255.0 10.0.0.11 1 timeout xlate 0:05:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225

1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout sip-disconnect 0:02:00 sip-invite 0:03:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local http server enable http 192.168.1.0 255.255.255.0 inside http 192.168.2.0 255.255.255.0 inside http 192.168.3.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto map outside_map 20 ipsec-isakmp crypto map outside_map 20 match address outside_cryptomap_20 crypto map outside_map 20 set peer 10.0.0.11 crypto map outside_map 20 set transform-set ESP-3DES-MD5 crypto map outside_map interface outside isakmp enable outside isakmp key ******** address 10.0.0.11 netmask 255.255.255.255 no-xauth no-config-mode isakmp policy 20 authentication pre-share isakmp policy 20 encryption 3des isakmp policy 20 hash md5 isakmp policy 20 group 2 isakmp policy 20 lifetime 86400 telnet 192.168.2.0 255.255.255.0 inside telnet timeout 20 ssh timeout 5 management-access inside console timeout 0 dhcpd address 192.168.2.200-192.168.2.220 inside dhcpd lease 3600 dhcpd ping_timeout 750 dhcpd auto_config outside dhcpd enable inside terminal width 80 Cryptochecksum:7564dd1d4a16218858b5d4c8f8c2c2ae : end [OK]

PIX B: Building configuration... : Saved : PIX Version 6.3(5) interface ethernet0 auto interface ethernet1 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password 8Ry2YjIyt7RRXU24 encrypted passwd 2KFQnbNIdI.2KYOU encrypted hostname PIX1 domain-name ciscopix.com fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names access-list inside_outbound_nat0_acl permit ip any any access-list outside_cryptomap_20 permit ip any any pager lines 24 mtu outside 1500 mtu inside 1500 ip address outside 10.0.0.11 255.255.255.0 ip address inside 192.168.1.11 255.255.255.0 ip audit info action alarm ip audit attack action alarm pdm logging informational 100 pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list inside_outbound_nat0_acl nat (inside) 1 0.0.0.0 0.0.0.0 0 0 timeout xlate 0:05:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225

1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout sip-disconnect 0:02:00 sip-invite 0:03:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local http server enable http 192.168.1.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto map outside_map 20 ipsec-isakmp crypto map outside_map 20 match address outside_cryptomap_20 crypto map outside_map 20 set peer 10.0.0.12 crypto map outside_map 20 set transform-set ESP-3DES-MD5 crypto map outside_map interface outside isakmp enable outside isakmp key ******** address 10.0.0.12 netmask 255.255.255.255 no-xauth no-config-mode isakmp policy 20 authentication pre-share isakmp policy 20 encryption 3des isakmp policy 20 hash md5 isakmp policy 20 group 2 isakmp policy 20 lifetime 86400 telnet 192.168.1.0 255.255.255.0 inside telnet timeout 5 ssh timeout 5 management-access inside console timeout 0 dhcpd address 192.168.1.100-192.168.1.120 inside dhcpd lease 3600 dhcpd ping_timeout 750 dhcpd auto_config outside dhcpd enable inside terminal width 80 Cryptochecksum:004eaf74a2add545b6d245f809550407 : end [OK]
Reply to
mwa
Loading thread data ...

Well your config looks good with one exception. It appears that in your access lists for defining interesting traffic and NAT exemption, you are trying to pass all traffic between the VPN without NAT by using the ip any any statement. Are you able to get internet traffic through these firewalls? Try this instead of your ACL statements.

PIX A access-list inside_outbound_nat0_acl remark Define interesting traffic for VPN to PIX B access-list outside_cryptomap_20 permit ip 192.168.1.0 255.255.255.0

192.168.2.0 255.255.255.0

access-list inside_outbound_nat0_acl remark Exempt VPN traffic to PIX B access-list inside_outbound_nat0_acl permit ip 192.168.1.0

255.255.255.0 192.168.2.0 255.255.255.0

Pix B access-list inside_outbound_nat0_acl remark Define interesting traffic for VPN to PIX A access-list outside_cryptomap_20 permit ip 192.168.2.0 255.255.255.0

192.168.1.0 255.255.255.0

access-list inside_outbound_nat0_acl remark Exempt VPN traffic to PIX A access-list inside_outbound_nat0_acl permit ip 192.168.2.0

255.255.255.0 192.168.1.0 255.255.255.0

-B

snipped-for-privacy@mwa.dk wrote:

Reply to
response3

Didn't see a route on this one.

Reply to
Dom

Good catch. That's probably the problem. Change the route statement to:

route outside 0.0.0.0 0.0.0.0

Do this for both firewalls, just be sure to put in the correct next hop IP for each site. This way all traffic not directly connected will get forwarded out the outside interface, NAT'd or not, and then encrypted if it matches your interesting traffic ACLs.

- B

Reply to
response3

Thank you all for your help :-)

Best Regards Martin

resp> > > > > I have made a Site-to-Site VPN tunnel:

Reply to
mwa

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.