ICMP through PIX IPSEC VPNs

Discussion in 'Cisco' started by Garry, Apr 22, 2004.

  1. Garry

    Garry Guest

    guys,

    I am having a problem with pinging and tracing through an ipsec vpn
    via pix firewalls. The vpn tunnels are fine and everything is working
    as it should except that i am unable to ping or trace to a station at
    the far end. I am not nating address that are going through the tunnel
    and the access -list that defines interesting traffic allows all IP
    from source to destination. I don't think I need to, but do i need to
    specifically allow icmp through even though I defining all IP as
    interesting?

    Cheers,

    Garry
    Garry, Apr 22, 2004
    #1
    1. Advertising

  2. In article <>,
    Garry <> wrote:
    :I am having a problem with pinging and tracing through an ipsec vpn
    :via pix firewalls. The vpn tunnels are fine and everything is working
    :as it should except that i am unable to ping or trace to a station at
    :the far end. I am not nating address that are going through the tunnel
    :and the access -list that defines interesting traffic allows all IP
    :from source to destination.

    That situation works fine for us.

    :I don't think I need to, but do i need to
    :specifically allow icmp through even though I defining all IP as
    :interesting?

    No, ip includes icmp.

    I suggest that the debug icmp trace facility might help.
    Have you determined yet at which step the icmp are getting lost?

    --
    Would you buy a used bit from this man??
    Walter Roberson, Apr 22, 2004
    #2
    1. Advertising

  3. Garry

    Rik Bain Guest

    On Thu, 22 Apr 2004 05:51:17 -0500, Garry wrote:

    > guys,
    >
    > I am having a problem with pinging and tracing through an ipsec vpn via
    > pix firewalls. The vpn tunnels are fine and everything is working as it
    > should except that i am unable to ping or trace to a station at the far
    > end. I am not nating address that are going through the tunnel and the
    > access -list that defines interesting traffic allows all IP from source
    > to destination. I don't think I need to, but do i need to specifically
    > allow icmp through even though I defining all IP as interesting?
    >
    > Cheers,
    >
    > Garry


    Are you able to initiate traffic in both directions?
    Could it be a sysopt connection permit-ipsec issue?
    Do you have access-groups applied to the inside interfaces?
    Rik Bain, Apr 22, 2004
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Manfred
    Replies:
    1
    Views:
    3,019
    Vincent C Jones
    May 4, 2004
  2. Scott Townsend
    Replies:
    2
    Views:
    10,035
    Scott Townsend
    May 4, 2006
  3. Chris
    Replies:
    0
    Views:
    386
    Chris
    Oct 18, 2006
  4. Al
    Replies:
    7
    Views:
    569
  5. harrison

    ICMP can not pass through PIX 506E

    harrison, Jun 7, 2009, in forum: Cisco
    Replies:
    0
    Views:
    1,337
    harrison
    Jun 7, 2009
Loading...

Share This Page