Help needed with Pinging Network from Router

Discussion in 'Cisco' started by Jerry, Oct 26, 2003.

  1. Jerry

    Jerry Guest

    I have an inside network (192.168.1.0) to a Cisco 2950 Switch to a PIX 501
    (inside 192.168.1.1, outside 10.1.1.35) to a Cisco 827 (e0 10.1.1.1) with
    PPPoE, Dynamic IP assigned by ISP.

    In order for me to VPN to work from my laptop using a Cisco client, I have
    to plug the laptop directly into the e0 port on the 827, and give the laptop
    a 10.1.1.X address.

    I plan to get a hub to connect to e0 of the 827 so I won't have to
    disconnect my entire inside network everytime I plug my laptop in for VPN.

    I have also set up my PIX as a DHCP server for my internal 192.1.1.X
    network. And I set up my 827 router as a DHCP server for the 10.1.1.X
    network. I figure this way, at least, when I plug my laptop in I will get an
    IP and won't have to manually enter it everytime I bring it home. It also
    gives me a DMZ of sorts.

    Ideally however, I would like to be able to just plug my laptop into my 2950
    switch and VPN to work. Is there any way to do this with my current setup?

    Also, I can ping my router from my internal network. But I am unable to ping
    my internal network from my router.(I know the PIX isn't the problem, since
    the router replies to a ping. Is there a command I can enter in the router
    that will allow me to ping my 192.1.1.x internal network? I know if I can't
    ping my internal network from the router, there is no way to VPN to work
    from my internal network, hence my problem. Thanks. Here are my configs:

    Cisco 827 Router:
    Using 1469 out of 131072 bytes
    !
    version 12.2
    no service pad
    service timestamps debug uptime
    service timestamps log uptime
    no service password-encryption
    !
    hostname DSLRouter
    !
    enable secret 5 $1$V5ao$gOB3j2GaiZV.x0aUcKkpw/
    enable password xxxxxx
    !
    ip subnet-zero
    ip dhcp excluded-address 10.1.1.1
    !
    ip dhcp pool SERVER
    network 10.0.0.0 255.0.0.0
    default-router 10.1.1.1
    !
    vpdn enable
    !
    vpdn-group 1
    request-dialin
    protocol pppoe
    ip mtu adjust
    !
    !
    !
    !
    interface Ethernet0
    ip address 10.1.1.1 255.0.0.0
    ip nat inside
    ip tcp adjust-mss 1452
    hold-queue 100 out
    !
    interface ATM0
    mtu 1492
    no ip address
    no atm ilmi-keepalive
    pvc 0/35
    pppoe-client dial-pool-number 1
    !
    dsl operating-mode auto
    hold-queue 224 in
    !
    interface Dialer1
    mtu 1492
    ip address negotiated
    ip nat outside
    encapsulation ppp
    dialer pool 1
    dialer-group 1
    ppp authentication chap pap callin
    ppp chap hostname xxxxxx
    ppp chap password 7 0836435C581F0013
    ppp pap sent-username xxxxxxx password 7 0836435C581F0013
    !
    ip nat inside source list 10 interface Dialer1 overload
    ip nat inside source list 19 interface Dialer1 overload
    ip classless
    ip route 0.0.0.0 0.0.0.0 Dialer1
    ip route 192.168.1.0 255.255.255.0 10.1.1.35
    no ip http server
    !
    !
    access-list 10 permit 10.0.0.0 0.255.255.255
    access-list 19 permit 192.0.0.0 0.255.255.255
    dialer-list 1 protocol ip permit
    banner motd ^Cc
    Good Morning ^C
    !
    line con 0
    stopbits 1
    line vty 0 4
    password xxxxxx
    login
    !
    scheduler max-task-time 5000
    end

    PIX 501:

    PIX Version 6.2(2)
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password 0JeJdBKOXHOPaqYc encrypted
    passwd 0JeJdBKOXHOPaqYc encrypted
    hostname pixfirewall
    domain-name xxxxxxxxxx
    fixup protocol ftp 21
    fixup protocol http 80
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol ils 389
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol sip 5060
    fixup protocol skinny 2000
    names
    name 66.0.0.0 DNS
    name 10.1.1.35 PIX_OUTSIDE
    name 192.168.1.1 PIX_INSIDE
    access-list outside_access_in permit icmp any any echo-reply
    access-list outside_access_in deny ip any any
    access-list inside_access_in permit ip any any
    no pager
    logging on
    interface ethernet0 10baset
    interface ethernet1 10full
    mtu outside 1492
    mtu inside 1492
    ip address outside PIX_OUTSIDE 255.0.0.0
    ip address inside PIX_INSIDE 255.255.255.0
    ip verify reverse-path interface inside
    ip audit info action alarm
    ip audit attack action alarm
    pdm location 192.168.0.0 255.255.255.0 inside
    pdm location DNS 255.255.255.0 inside
    pdm location DNS 255.255.255.255 outside
    pdm location PIX_OUTSIDE 255.255.255.255 outside
    pdm location 10.0.0.0 255.0.0.0 inside
    pdm location PIX_OUTSIDE 255.255.255.255 inside
    pdm logging notifications 512
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    static (inside,outside) PIX_INSIDE PIX_INSIDE netmask 255.255.255.255 0 0
    access-group outside_access_in in interface outside
    access-group inside_access_in in interface inside
    route outside 0.0.0.0 0.0.0.0 10.1.1.1 1
    route inside PIX_OUTSIDE 255.255.255.255 10.1.1.1 1
    timeout xlate 0:05:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323
    0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server LOCAL protocol local
    aaa authentication enable console LOCAL
    aaa authentication http console LOCAL
    http server enable
    http 192.168.1.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    no sysopt route dnat
    telnet 192.168.1.0 255.255.255.0 inside
    telnet timeout 15
    ssh timeout 5
    dhcpd address 192.168.1.2-192.168.1.33 inside
    dhcpd dns 66.228.128.70 66.228.128.202
    dhcpd lease 259200
    dhcpd ping_timeout 750
    dhcpd auto_config outside
    dhcpd enable inside
    username xxxxxxx password 8ArGC/ZkyTHYV9HQ encrypted privilege 15
    terminal width 80
    Cryptochecksum:ca4c0bd6bb67fa6becd5d8fd370f3802
    : end
     
    Jerry, Oct 26, 2003
    #1
    1. Advertising

  2. In article <>,
    Jerry <> wrote:
    :Also, I can ping my router from my internal network. But I am unable to ping
    :my internal network from my router.(I know the PIX isn't the problem, since
    :the router replies to a ping.

    :pIX 501:

    :access-list outside_access_in permit icmp any any echo-reply
    :access-list outside_access_in deny ip any any
    :access-list inside_access_in permit ip any any

    :access-group outside_access_in in interface outside
    :access-group inside_access_in in interface inside

    Your PIX is set to allow external icmp echo-reply but not to allow
    external icmp echo through. When you ping from the LAN to the router,
    you are going from inside to outside, using the inside_access_in
    access list that allows everything; the router then replies with
    an icmp echo-reply that the PIX has been configured to allow through.
    When you ping from the router to the LAN, your router is sending
    icmp echo, which you have configured the PIX to block by that
    'deny ip any any' in the outside_access_in access-list.
    (Mind you, that deny is the default anyhow; you'd have the same
    result if you just deleted that line.)

    Try this:

    access-list outside_access_in permit icmp any any echo-reply
    access-list outside_access_in permit icmp any any echo
    --
    'ignorandus (Latin): "deserving not to be known"'
    -- Journal of Self-Referentialism
     
    Walter Roberson, Oct 27, 2003
    #2
    1. Advertising

  3. Jerry

    Jerry Guest

    "Walter Roberson" <-cnrc.gc.ca> wrote in message
    news:bnhrtc$lst$...
    > In article <>,
    > Jerry <> wrote:
    > :Also, I can ping my router from my internal network. But I am unable to

    ping
    > :my internal network from my router.(I know the PIX isn't the problem,

    since
    > :the router replies to a ping.
    >
    > :pIX 501:
    >
    > :access-list outside_access_in permit icmp any any echo-reply
    > :access-list outside_access_in deny ip any any
    > :access-list inside_access_in permit ip any any
    >
    > :access-group outside_access_in in interface outside
    > :access-group inside_access_in in interface inside
    >
    > Your PIX is set to allow external icmp echo-reply but not to allow
    > external icmp echo through. When you ping from the LAN to the router,
    > you are going from inside to outside, using the inside_access_in
    > access list that allows everything; the router then replies with
    > an icmp echo-reply that the PIX has been configured to allow through.
    > When you ping from the router to the LAN, your router is sending
    > icmp echo, which you have configured the PIX to block by that
    > 'deny ip any any' in the outside_access_in access-list.
    > (Mind you, that deny is the default anyhow; you'd have the same
    > result if you just deleted that line.)
    >
    > Try this:
    >
    > access-list outside_access_in permit icmp any any echo-reply
    > access-list outside_access_in permit icmp any any echo
    > --


    Thanks, but just for grins, I tried:
    access-list outside_access_in permit icmp any any
    leaving the flood gates open, and it still didn't work. I'm stumped.
     
    Jerry, Oct 27, 2003
    #3
  4. Does the pix use NAT?

    Erik

    "Jerry" <> wrote in message
    news:...
    >
    > "Walter Roberson" <-cnrc.gc.ca> wrote in message
    > news:bnhrtc$lst$...
    > > In article <>,
    > > Jerry <> wrote:
    > > :Also, I can ping my router from my internal network. But I am unable to

    > ping
    > > :my internal network from my router.(I know the PIX isn't the problem,

    > since
    > > :the router replies to a ping.
    > >
    > > :pIX 501:
    > >
    > > :access-list outside_access_in permit icmp any any echo-reply
    > > :access-list outside_access_in deny ip any any
    > > :access-list inside_access_in permit ip any any
    > >
    > > :access-group outside_access_in in interface outside
    > > :access-group inside_access_in in interface inside
    > >
    > > Your PIX is set to allow external icmp echo-reply but not to allow
    > > external icmp echo through. When you ping from the LAN to the router,
    > > you are going from inside to outside, using the inside_access_in
    > > access list that allows everything; the router then replies with
    > > an icmp echo-reply that the PIX has been configured to allow through.
    > > When you ping from the router to the LAN, your router is sending
    > > icmp echo, which you have configured the PIX to block by that
    > > 'deny ip any any' in the outside_access_in access-list.
    > > (Mind you, that deny is the default anyhow; you'd have the same
    > > result if you just deleted that line.)
    > >
    > > Try this:
    > >
    > > access-list outside_access_in permit icmp any any echo-reply
    > > access-list outside_access_in permit icmp any any echo
    > > --

    >
    > Thanks, but just for grins, I tried:
    > access-list outside_access_in permit icmp any any
    > leaving the flood gates open, and it still didn't work. I'm stumped.
    >
    >
     
    Erik Tamminga, Oct 27, 2003
    #4
  5. Sorry, didn't see first posting (newsreader error'ed on it)

    Erik


    "Erik Tamminga" <> wrote in message
    news:bnig1i$81j$1.nb.home.nl...
    > Does the pix use NAT?
    >
    > Erik
    >
    > "Jerry" <> wrote in message
    > news:...
    > >
    > > "Walter Roberson" <-cnrc.gc.ca> wrote in message
    > > news:bnhrtc$lst$...
    > > > In article <>,
    > > > Jerry <> wrote:
    > > > :Also, I can ping my router from my internal network. But I am unable

    to
    > > ping
    > > > :my internal network from my router.(I know the PIX isn't the problem,

    > > since
    > > > :the router replies to a ping.
    > > >
    > > > :pIX 501:
    > > >
    > > > :access-list outside_access_in permit icmp any any echo-reply
    > > > :access-list outside_access_in deny ip any any
    > > > :access-list inside_access_in permit ip any any
    > > >
    > > > :access-group outside_access_in in interface outside
    > > > :access-group inside_access_in in interface inside
    > > >
    > > > Your PIX is set to allow external icmp echo-reply but not to allow
    > > > external icmp echo through. When you ping from the LAN to the router,
    > > > you are going from inside to outside, using the inside_access_in
    > > > access list that allows everything; the router then replies with
    > > > an icmp echo-reply that the PIX has been configured to allow through.
    > > > When you ping from the router to the LAN, your router is sending
    > > > icmp echo, which you have configured the PIX to block by that
    > > > 'deny ip any any' in the outside_access_in access-list.
    > > > (Mind you, that deny is the default anyhow; you'd have the same
    > > > result if you just deleted that line.)
    > > >
    > > > Try this:
    > > >
    > > > access-list outside_access_in permit icmp any any echo-reply
    > > > access-list outside_access_in permit icmp any any echo
    > > > --

    > >
    > > Thanks, but just for grins, I tried:
    > > access-list outside_access_in permit icmp any any
    > > leaving the flood gates open, and it still didn't work. I'm stumped.
    > >
    > >

    >
    >
     
    Erik Tamminga, Oct 27, 2003
    #5
  6. Your pix uses PAT (nat overload). With this configured, there is no way
    (without static translations) to communicate from the outside to the inside
    unless the connection was initiated from the inside. That's the reason
    you're not able to ping from the outside to the inside.

    Erik

    "Erik Tamminga" <> wrote in message
    news:bnig1i$81j$1.nb.home.nl...
    > Does the pix use NAT?
    >
    > Erik
    >
    > "Jerry" <> wrote in message
    > news:...
    > >
    > > "Walter Roberson" <-cnrc.gc.ca> wrote in message
    > > news:bnhrtc$lst$...
    > > > In article <>,
    > > > Jerry <> wrote:
    > > > :Also, I can ping my router from my internal network. But I am unable

    to
    > > ping
    > > > :my internal network from my router.(I know the PIX isn't the problem,

    > > since
    > > > :the router replies to a ping.
    > > >
    > > > :pIX 501:
    > > >
    > > > :access-list outside_access_in permit icmp any any echo-reply
    > > > :access-list outside_access_in deny ip any any
    > > > :access-list inside_access_in permit ip any any
    > > >
    > > > :access-group outside_access_in in interface outside
    > > > :access-group inside_access_in in interface inside
    > > >
    > > > Your PIX is set to allow external icmp echo-reply but not to allow
    > > > external icmp echo through. When you ping from the LAN to the router,
    > > > you are going from inside to outside, using the inside_access_in
    > > > access list that allows everything; the router then replies with
    > > > an icmp echo-reply that the PIX has been configured to allow through.
    > > > When you ping from the router to the LAN, your router is sending
    > > > icmp echo, which you have configured the PIX to block by that
    > > > 'deny ip any any' in the outside_access_in access-list.
    > > > (Mind you, that deny is the default anyhow; you'd have the same
    > > > result if you just deleted that line.)
    > > >
    > > > Try this:
    > > >
    > > > access-list outside_access_in permit icmp any any echo-reply
    > > > access-list outside_access_in permit icmp any any echo
    > > > --

    > >
    > > Thanks, but just for grins, I tried:
    > > access-list outside_access_in permit icmp any any
    > > leaving the flood gates open, and it still didn't work. I'm stumped.
    > >
    > >

    >
    >
     
    Erik Tamminga, Oct 27, 2003
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. atodd_109

    Router Pinging Devices

    atodd_109, Jul 9, 2003, in forum: Cisco
    Replies:
    1
    Views:
    2,027
    sPiDEr
    Jul 9, 2003
  2. Anand Mohabir
    Replies:
    1
    Views:
    1,165
    Johnny Routin
    Oct 22, 2004
  3. ConceptZone
    Replies:
    22
    Views:
    2,824
  4. Mike

    Router pinging times out

    Mike, Nov 10, 2006, in forum: Wireless Networking
    Replies:
    1
    Views:
    512
  5. timolthy
    Replies:
    0
    Views:
    2,199
    timolthy
    Oct 17, 2009
Loading...

Share This Page