PIX501 Site to Site ICMP Problem

- B
- btercha
  
  Contact options for registered users
posted
18 years ago

Fri, Dec 16, 2005 4:23 PM

Hello -

I have a site to site VPN setup between our office and a couple of employee's homes. The problem that I am having is that the VPN tunnel will establish but we cannot ping anything on either subnets across the site to site VPN. I've made changes to the ACLs, used the 'icmp permit' command and even tried to use conduits but I cannot ping any hosts on the remote subnet across the VPN. I can however access our exchange, web and other servers without a problem. Below are copies of the configs. IP's, hostnames, passwords have been removed/changed for security reasons. Could somebody please tell me what is wrong with the config, or what needs to be changed so that we can ping from home to the office. Thanks.

Office config: : Saved : PIX Version 6.3(5) interface ethernet0 auto interface ethernet1 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password removed encrypted passwd removed encrypted hostname OfficePIX501 domain-name office.com fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names access-list 100 permit ip 172.31.40.0 255.255.255.0 192.168.16.0

255.255.255.24 access-list 100 permit ip 172.31.40.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list 100 permit ip 172.31.40.0 255.255.255.0 192.168.3.0 255.255.255.0 access-list 10 deny ip 127.0.0.0 255.0.0.0 any access-list 10 deny ip 169.254.0.0 255.255.0.0 any access-list 10 deny ip 172.16.0.0 255.255.0.0 any access-list 10 deny ip 224.0.0.0 224.0.0.0 any access-list 10 permit icmp any any echo-reply access-list 10 permit icmp any any time-exceeded access-list 10 permit icmp any any access-list 10 permit tcp any host 1.1.1.1 eq smtp access-list 10 permit tcp any host 1.1.1.1 eq 3389 access-list 10 permit tcp any host 1.1.1.1 eq www access-list 10 permit tcp any host 1.1.1.1 eq https access-list 10 permit icmp any any unreachable access-list 10 permit icmp any any source-quench access-list 10 permit ip 192.168.2.0 255.255.255.0 172.31.40.0 255.255.255.0 access-list 10 permit icmp 192.168.2.0 255.255.255.0 172.31.40.0 255.255.255.0 access-list 110 permit ip 172.31.40.0 255.255.255.0 192.168.16.0 255.255.255.0 pager lines 24 logging on logging timestamp logging console emergencies logging monitor emergencies logging buffered warnings logging trap debugging logging history debugging icmp permit any outside mtu outside 1400 mtu inside 1500 ip address outside 1.1.1.1 255.255.255.248 ip address inside 172.31.40.1 255.255.255.0 ip verify reverse-path interface outside ip verify reverse-path interface inside ip audit name jab attack action alarm drop reset ip audit name probe info action alarm drop reset ip audit interface outside probe ip audit interface outside jab ip audit info action alarm drop reset ip audit attack action alarm drop reset ip audit signature 2000 disable ip audit signature 2001 disable ip local pool vpnpool 192.168.16.5-192.168.16.10 pdm logging informational 100 pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list 100 nat (inside) 1 0.0.0.0 0.0.0.0 0 0 static (inside,outside) tcp 1.1.1.1 smtp 172.31.40.250 smtp netmask 255.25 5.255.255 0 0 static (inside,outside) tcp 1.1.1.1 www 172.31.40.250 www netmask 255.255. 255.255 0 0 static (inside,outside) tcp 1.1.1.1 https 172.31.40.250 https netmask 255. 255.255.255 0 0 static (inside,outside) tcp 1.1.1.1 3389 172.31.40.250 3389 netmask 255.25 5.255.255 0 0 access-group 10 in interface outside route outside 0.0.0.0 0.0.0.0 1.1.1.2 1 timeout xlate 0:05:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout sip-disconnect 0:02:00 sip-invite 0:03:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec crypto ipsec transform-set strong esp-3des esp-md5-hmac crypto dynamic-map dynmap 1 set transform-set strong crypto map dynmap1 10 ipsec-isakmp dynamic dynmap crypto map dynmap1 interface outside isakmp enable outside isakmp key ******** address 0.0.0.0 netmask 0.0.0.0 isakmp identity address isakmp policy 10 authentication pre-share isakmp policy 10 encryption 3des isakmp policy 10 hash md5 isakmp policy 10 group 1 isakmp policy 10 lifetime 1000 vpngroup vpnsetting address-pool vpnpool vpngroup vpnsetting dns-server 172.31.40.250 vpngroup vpnsetting wins-server 172.31.40.250 vpngroup vpnsetting default-domain removed.com vpngroup vpnsetting split-tunnel 110 vpngroup vpnsetting idle-time 1800 vpngroup vpnsetting password ******** telnet 192.168.16.0 255.255.255.0 outside telnet 192.168.3.0 255.255.255.0 outside telnet 192.168.2.0 255.255.255.0 outside telnet 172.31.40.0 255.255.255.0 inside telnet timeout 60 ssh 0.0.0.0 0.0.0.0 outside ssh timeout 60 console timeout 0 terminal width 80 Cryptochecksum:71a838b1e54be2294e926ff2e449654c : end

Home config: : Saved : PIX Version 6.3(5) interface ethernet0 auto interface ethernet1 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password removed encrypted passwd removed encrypted hostname HomePIX501 domain-name Homepix.net fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names access-list 100 permit ip 192.168.2.0 255.255.255.0 172.31.40.0

255.255.255.0 access-list 100 permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.0 access-list 10 deny ip 127.0.0.0 255.0.0.0 any access-list 10 deny ip 169.254.0.0 255.255.0.0 any access-list 10 deny ip 172.16.0.0 255.255.0.0 any access-list 10 deny ip 224.0.0.0 224.0.0.0 any access-list 10 permit icmp any any echo-reply access-list 10 permit icmp any any time-exceeded access-list 10 permit icmp any any access-list 10 permit icmp any any unreachable access-list 10 permit icmp any any source-quench access-list 10 permit ip 172.31.40.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list 10 permit icmp 172.31.40.0 255.255.255.0 192.168.2.0 255.255.255.0 pager lines 24 logging on logging timestamp logging console emergencies logging monitor emergencies logging buffered warnings logging trap debugging logging history debugging icmp permit any outside mtu outside 1500 mtu inside 1500 ip address outside dhcp setroute ip address inside 192.168.2.100 255.255.255.0 ip verify reverse-path interface outside ip verify reverse-path interface inside ip audit name jab attack action alarm drop reset ip audit name probe info action alarm drop reset ip audit interface outside probe ip audit interface outside jab ip audit info action alarm drop reset ip audit attack action alarm drop reset ip audit signature 2000 disable ip audit signature 2001 disable pdm logging informational 100 pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list 100 nat (inside) 1 0.0.0.0 0.0.0.0 0 0 access-group 10 in interface outside timeout xlate 0:05:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout sip-disconnect 0:02:00 sip-invite 0:03:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local http server enable http 172.31.40.0 255.255.255.0 outside http 192.168.2.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec crypto ipsec transform-set strong esp-3des esp-md5-hmac crypto map Home2Office 10 ipsec-isakmp crypto map Home2Office 10 match address 100 crypto map Home2Office 10 set peer 72.245.146.34 crypto map Home2Office 10 set transform-set strong crypto map Home2Office interface outside isakmp enable outside isakmp key ******** address 1.1.1.1 netmask 255.255.255.255 isakmp identity address isakmp policy 10 authentication pre-share isakmp policy 10 encryption 3des isakmp policy 10 hash md5 isakmp policy 10 group 1 isakmp policy 10 lifetime 1000 telnet 192.168.16.0 255.255.255.0 outside telnet 192.168.3.0 255.255.255.0 outside telnet 172.31.40.0 255.255.255.0 outside telnet 0.0.0.0 0.0.0.0 outside telnet 192.168.2.0 255.255.255.0 inside telnet timeout 60 ssh 0.0.0.0 0.0.0.0 outside ssh timeout 60 console timeout 0 dhcpd address 192.168.2.25-192.168.2.50 inside dhcpd dns 68.87.75.194 68.87.64.196 dhcpd lease 3600 dhcpd ping_timeout 750 dhcpd auto_config outside dhcpd enable inside terminal width 80 Cryptochecksum:39b99b97937befbb04d412cc69f09915 : end

Thank you for your help.

- W
- Walter Roberson
  
  Contact options for registered users
Vote on answer
posted
18 years ago

Fri, Dec 16, 2005 4:53 PM

[rearranged]

Your split tunnel is for 192.168.16.x on the client side and

172.31.40.x on the server side to go through the tunnel.

This agrees with the client side address for the split tunnel.

This ACL is read as 172.31.40.x on the PIX side and a few other things on the remote side, and turns off address translation for those flows.

The 192.168.2.x and 192.168.3.x destinations are irrelevant for the problem being investigated, so focus on the other line:

access-list 100 permit ip 172.31.40.0 255.255.255.0 192.168.16.0 255.255.255.24

Is this line consistant with 172.31.40.x on the PIX side and

192.168.16.x on the client side? No! This line is for 192.168.16.0 - 192.168.16.7, .32 - .39, .64 - .71, .96 - .103, .128 - .135, .160 - .167, .192 - .199, and .224 - .231

If a 0 accidently got dropped in the posting and the line is really access-list 100 permit ip 172.31.40.0 255.255.255.0 192.168.16.0 255.255.255.240

then it covers 192.168.16.0 - 192.168.16.15 which does cover the complete allocated address pool, but is not consistant with the split tunnel.

- B
- btercha
  
  Contact options for registered users
Vote on answer
posted
18 years ago

Fri, Dec 16, 2005 6:34 PM

Thanks, I've made changes to the config, its posted below.

: Saved : PIX Version 6.3(5) interface ethernet0 auto interface ethernet1 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password removed encrypted passwd removed encrypted hostname OfficePIX501 domain-name office.com fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names access-list 100 permit ip 172.31.40.0 255.255.255.0 192.168.2.0

255.255.255.0 access-list 100 permit ip 172.31.40.0 255.255.255.0 192.168.3.0 255.255.255.0 access-list 100 permit ip 172.31.40.0 255.255.255.0 192.168.16.0 255.255.255.0 access-list 10 deny ip 127.0.0.0 255.0.0.0 any access-list 10 deny ip 169.254.0.0 255.255.0.0 any access-list 10 deny ip 172.16.0.0 255.255.0.0 any access-list 10 deny ip 224.0.0.0 224.0.0.0 any access-list 10 permit icmp any any echo-reply access-list 10 permit icmp any any time-exceeded access-list 10 permit icmp any any access-list 10 permit tcp any host 1.1.1.1 eq smtp access-list 10 permit tcp any host 1.1.1.1 eq 3389 access-list 10 permit tcp any host 1.1.1.1 eq www access-list 10 permit tcp any host 1.1.1.1 eq https access-list 10 permit icmp any any unreachable access-list 10 permit icmp any any source-quench access-list 10 permit ip 192.168.2.0 255.255.255.0 172.31.40.0 255.255.255.0 access-list 10 permit icmp 192.168.2.0 255.255.255.0 172.31.40.0 255.255.255.0 access-list 110 permit ip 172.31.40.0 255.255.255.0 192.168.16.0 255.255.255.0 access-list 110 permit ip 172.31.40.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list 110 permit ip 172.31.40.0 255.255.255.0 192.168.3.0 255.255.255.0 pager lines 24 logging on logging timestamp logging console emergencies logging monitor emergencies logging buffered warnings logging trap debugging logging history debugging icmp permit any outside mtu outside 1400 mtu inside 1500 ip address outside 1.1.1.1 255.255.255.248 ip address inside 172.31.40.1 255.255.255.0 ip verify reverse-path interface outside ip verify reverse-path interface inside ip audit name jab attack action alarm drop reset ip audit name probe info action alarm drop reset ip audit interface outside probe ip audit interface outside jab ip audit info action alarm drop reset ip audit attack action alarm drop reset ip audit signature 2000 disable ip audit signature 2001 disable ip local pool vpnpool 192.168.16.5-192.168.16.10 pdm logging informational 100 pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list 100 nat (inside) 1 0.0.0.0 0.0.0.0 0 0 static (inside,outside) tcp 1.1.1.1 smtp 172.31.40.250 smtp netmask 255.25 5.255.255 0 0 static (inside,outside) tcp 1.1.1.1 www 172.31.40.250 www netmask 255.255. 255.255 0 0 static (inside,outside) tcp 1.1.1.1 https 172.31.40.250 https netmask 255. 255.255.255 0 0 static (inside,outside) tcp 1.1.1.1 3389 172.31.40.250 3389 netmask 255.25 5.255.255 0 0 access-group 10 in interface outside route outside 0.0.0.0 0.0.0.0 1.1.1.2 1 timeout xlate 0:05:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout sip-disconnect 0:02:00 sip-invite 0:03:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec crypto ipsec transform-set strong esp-3des esp-md5-hmac crypto dynamic-map dynmap 1 set transform-set strong crypto map dynmap1 10 ipsec-isakmp dynamic dynmap crypto map dynmap1 interface outside isakmp enable outside isakmp key ******** address 0.0.0.0 netmask 0.0.0.0 isakmp identity address isakmp policy 10 authentication pre-share isakmp policy 10 encryption 3des isakmp policy 10 hash md5 isakmp policy 10 group 1 isakmp policy 10 lifetime 1000 vpngroup vpnsetting address-pool vpnpool vpngroup vpnsetting dns-server 172.31.40.250 vpngroup vpnsetting wins-server 172.31.40.250 vpngroup vpnsetting default-domain removed.com vpngroup vpnsetting split-tunnel 110 vpngroup vpnsetting idle-time 1800 vpngroup vpnsetting password ******** telnet 192.168.16.0 255.255.255.0 outside telnet 192.168.3.0 255.255.255.0 outside telnet 192.168.2.0 255.255.255.0 outside telnet 172.31.40.0 255.255.255.0 inside telnet timeout 60 ssh 0.0.0.0 0.0.0.0 outside ssh timeout 60 console timeout 0 terminal width 80 Cryptochecksum:71a838b1e54be2294e926ff2e449654c : end

I'm not concerned with the 192.168.16.0/24 subnet right now, that is used when people connect using the VPN client software. The problem I am trying to get to the bottom of is that you cannot ping between the

172.31.40.0/24 and 192.168.2.0/24 IP subnets. I can telnet, RDP, web browse, so the VPN tunnel is establishing and passing traffic, but I cannot ping. It is very frustrating. When I do a show log on either side I see the following:

Office:

400014: IDS:2004 ICMP echo request from 192.168.2.55 to 172.31.40.250 on interfa ce outside 400014: IDS:2004 ICMP echo request from 192.168.2.55 to 172.31.40.250 on interfa ce outside 400014: IDS:2004 ICMP echo request from 192.168.2.55 to 172.31.40.250 on interfa ce outside

Home:

400014: IDS:2004 ICMP echo request from 172.31.40.51 to 192.168.2.55 on interface outside 400014: IDS:2004 ICMP echo request from 172.31.40.51 to 192.168.2.55 on interface outside

All of the IPs above are valid and respond to ICMP within the same subnet.

Any more ideas?

- W
- Wayne
  
  Contact options for registered users
Vote on answer
posted
18 years ago

Fri, Dec 16, 2005 7:42 PM

Enable nat-traversal.

"isakmp nat-traversal"

formatting link

(URL may wrap)

- B
- btercha
  
  Contact options for registered users
Vote on answer
posted
18 years ago

Fri, Dec 16, 2005 8:32 PM

No luck, I ended up disabling IDS Policy '2004 ICMP Echo request'

'ip audit signature 2004 disable'

This allowed ping from subnet to subnet through the VPN.

Thanks for everyone's help.