1. Home
  2. Cisco Systems
  3. Pix 501 Icmp over VPN

Pix 501 Icmp over VPN

Hello everyone,

I have set up a IPsec tunnel between 2 Pix 501. I have accepted ICMP for both interface. I have opened up the firewall inside and outside to ICMP and IP flux from anywhere to anywhere.

The ipsec tunnels were OK, as soon as I opened up the ports, the IPSec went down (ISAKMP is still up).

I can ping outside addresses but I cannot ping within the firewall to any address, including the IP of the inside interface on the other end of the tunnel.

I've done a fair bit of VPN set ups in the last few years,including a worldwide set up with Cisco 2600 concentrator and over 100 Cisco SOHOs on remote sites. With all my experience, theis Pix gizmo has me stunned. This is by far the most complicated and obscure OS I have ever seen.

Just about to throw the whole thing out of the window and give my client his money back ! HHHEEEEEEELLLLLLLLP !

Reply to
Yvick
Loading thread data ...

In article , Yvick wrote: :I have set up a IPsec tunnel between 2 Pix 501. :I have accepted ICMP for both interface. :I have opened up the firewall inside and outside to ICMP and IP flux :from anywhere to anywhere.

I do not understand about "IP flux" ?

:The ipsec tunnels were OK, as soon as I opened up the ports, the IPSec :went down (ISAKMP is still up).

I have some hypotheses about probable configuration errors, but rather than my writing them all up, please post a sanitized configuration and we can point to particular parts of it.

:I can ping outside addresses but I cannot ping within the firewall to :any address, including the IP of the inside interface on the other end :of the tunnel.

You can only ping to the "nearest" interface of a PIX, unless you have defined a VPN tunnel as a "management" interface.

Reply to
Walter Roberson

Walter Roberson a =E9crit :

I mean all packets in and out that correspond to an IP protocol ( which includes ICMP if I'm not mistaken ...)

Got that working at last. It was a configuration error.

This is where my understanding collapses. My set up is as follows:

pcLAN1 --> Router (contains a static route for LAN2 with gateway indicating Pix 501 LAN1) --> Pix 501 LAN1 Pix 501 LAN2 Router ((contains a static route with gateway indicating Pix 501 LAN2) pcLAN2

-- From Pix 501 LAN1 and Pix 501 LAN2 I can ping from the outside interface to the world.

-- From Pix 501 LAN1 and Pix 501 LAN2 I can ping from the inside interface to the opposite Pix 501 Inside interface and to the opposite router LAN Interface.

---From Pix 501 LAN1 and Pix 501 LAN2 I CANNOT ping from the inside interface to any of the machines (in the example pcLANx) on the opposite network.

I have enable an access-list to allow reply packets from anywhere to accepted by the outside interface in.

Is this clear enough ? Thanks for your help ...

Y
Reply to
Yvick

:pcLAN1 --> Router (contains a static route for LAN2 with gateway :indicating Pix 501 LAN1) --> Pix 501 LAN1 Pix 501 LAN2 Router ((contains a static route :with gateway indicating Pix 501 LAN2) pcLAN2

:-- From Pix 501 LAN1 and Pix 501 LAN2 I can ping from the outside :interface to the world. :-- From Pix 501 LAN1 and Pix 501 LAN2 I can ping from the inside :interface to the opposite Pix 501 Inside interface and to the opposite :router LAN Interface.

If you can ping to the inside interface of the opposite PIX then either you have some strange routing or some additional topology not shown here (e.g., a VPN concentrator), or you have defined the VPN tunnel as being a management tunnel.

:---From Pix 501 LAN1 and Pix 501 LAN2 I CANNOT ping from the inside :interface to any of the machines (in the example pcLANx) on the :opposite network.

That would be consistant with having defined the tunnel as a management tunnel. When you define a management tunnel, you are only allowed to reach the remote PIX itself (no matter what the crypto ACL says.)

Reply to
Walter Roberson

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.