IPSec VPN OK, cannot ping from router to hosts on remote LAN

Discussion in 'Cisco' started by Mirko, Jul 30, 2004.

  1. Mirko

    Mirko Guest

    I realized a star shaped VPN among a Cisco 837 (hub) and a bunch of cheap
    Zyxels 652 (remotes).

    I am able to establish ICMP communications (send receive) among hosts on a
    given LAN and hosts on the other LAN. Other protocols and applications also
    work correctly (UDP/TCP, remote control software, data transfer software
    etc.).

    I realized I could not do the same from my Cisco router, i.e. it cannot ping
    any hosts on the remote LAN. I cannot even ping the LAN interface of the
    remote router.

    Following a "trace" command I learned the router just sends its ICMP packets
    at its default gateway (interface dialer0, being this a PPPoE-type
    connection), where they are soon lost, being addressed to a private LAN.

    How can I tell my router to send packets addressed to my remote LANs towards
    the IPSec tunnels?

    Thanks for any suggestion.


    Mirko
     
    Mirko, Jul 30, 2004
    #1
    1. Advertising

  2. Mirko

    Ivan Ostres Guest

    In article <bFuOc.76364$>,
    says...
    > I realized a star shaped VPN among a Cisco 837 (hub) and a bunch of cheap
    > Zyxels 652 (remotes).
    >
    > I am able to establish ICMP communications (send receive) among hosts on a
    > given LAN and hosts on the other LAN. Other protocols and applications also
    > work correctly (UDP/TCP, remote control software, data transfer software
    > etc.).
    >
    > I realized I could not do the same from my Cisco router, i.e. it cannot ping
    > any hosts on the remote LAN. I cannot even ping the LAN interface of the
    > remote router.
    >
    > Following a "trace" command I learned the router just sends its ICMP packets
    > at its default gateway (interface dialer0, being this a PPPoE-type
    > connection), where they are soon lost, being addressed to a private LAN.
    >
    > How can I tell my router to send packets addressed to my remote LANs towards
    > the IPSec tunnels?
    >
    > Thanks for any suggestion.
    >
    >


    You need to specify your routers (ping source) address in your crypto
    access list. You also need to be sure which address is your source
    address when you ping from the router (it is possible to specify source
    address using extended ping).

    --
    -Ivan.

    *** Use Rot13 to see my eMail address ***
     
    Ivan Ostres, Jul 30, 2004
    #2
    1. Advertising

  3. Mirko

    Rik Bain Guest

    On Fri, 30 Jul 2004 11:26:47 -0500, Mirko wrote:

    > I realized a star shaped VPN among a Cisco 837 (hub) and a bunch of
    > cheap Zyxels 652 (remotes).
    >
    > I am able to establish ICMP communications (send receive) among hosts on
    > a given LAN and hosts on the other LAN. Other protocols and applications
    > also work correctly (UDP/TCP, remote control software, data transfer
    > software etc.).
    >
    > I realized I could not do the same from my Cisco router, i.e. it cannot
    > ping any hosts on the remote LAN. I cannot even ping the LAN interface
    > of the remote router.
    >
    > Following a "trace" command I learned the router just sends its ICMP
    > packets at its default gateway (interface dialer0, being this a
    > PPPoE-type connection), where they are soon lost, being addressed to a
    > private LAN.
    >
    > How can I tell my router to send packets addressed to my remote LANs
    > towards the IPSec tunnels?
    >
    > Thanks for any suggestion.
    >
    >
    > Mirko


    You want to source the ping from the lan interface via extended ping.
    Type "ping ip" and hit enter. You will be prompted for more information,
    including the source interface.

    Rik Bain
     
    Rik Bain, Jul 30, 2004
    #3
  4. Mirko

    Mirko Guest

    Ivan,
    you were right as both suggestions were necessary for this to work.

    I opened ICMP on inbound interface (dialer0) from "remote private LAN" to
    "local private LAN".

    Being still unsuccesful in pinging the remote host from my router, I used
    "extended ping" to specify ethernet0 as the source of the ICMP request. I
    also used "debug ip ICMP" to gather useful informations.

    This worked as I started to receive echo replies from the remote hosts.

    Now I wonder: how does the IOS select the default interface to stamp its
    ping packets with? Is it possible to have it changed to the ethernet0 by
    default?

    Thanks for your advice.


    Mirko


    "Ivan Ostres" <> ha scritto nel messaggio
    news:...
    > In article <bFuOc.76364$>,
    > says...
    > > I realized a star shaped VPN among a Cisco 837 (hub) and a bunch of

    cheap
    > > Zyxels 652 (remotes).
    > >
    > > I am able to establish ICMP communications (send receive) among hosts on

    a
    > > given LAN and hosts on the other LAN. Other protocols and applications

    also
    > > work correctly (UDP/TCP, remote control software, data transfer software
    > > etc.).
    > >
    > > I realized I could not do the same from my Cisco router, i.e. it cannot

    ping
    > > any hosts on the remote LAN. I cannot even ping the LAN interface of the
    > > remote router.
    > >
    > > Following a "trace" command I learned the router just sends its ICMP

    packets
    > > at its default gateway (interface dialer0, being this a PPPoE-type
    > > connection), where they are soon lost, being addressed to a private LAN.
    > >
    > > How can I tell my router to send packets addressed to my remote LANs

    towards
    > > the IPSec tunnels?
    > >
    > > Thanks for any suggestion.
    > >
    > >

    >
    > You need to specify your routers (ping source) address in your crypto
    > access list. You also need to be sure which address is your source
    > address when you ping from the router (it is possible to specify source
    > address using extended ping).
    >
    > --
    > -Ivan.
    >
    > *** Use Rot13 to see my eMail address ***
     
    Mirko, Jul 31, 2004
    #4
  5. Mirko

    Mirko Guest

    Thanks Rik I tried it and by also opening the firewall to ICMP replies it
    worked well.

    Mirko

    "Rik Bain" <> ha scritto nel messaggio
    news:410aa4bf$0$94552$...
    > On Fri, 30 Jul 2004 11:26:47 -0500, Mirko wrote:
    >
    > > I realized a star shaped VPN among a Cisco 837 (hub) and a bunch of
    > > cheap Zyxels 652 (remotes).
    > >
    > > I am able to establish ICMP communications (send receive) among hosts on
    > > a given LAN and hosts on the other LAN. Other protocols and applications
    > > also work correctly (UDP/TCP, remote control software, data transfer
    > > software etc.).
    > >
    > > I realized I could not do the same from my Cisco router, i.e. it cannot
    > > ping any hosts on the remote LAN. I cannot even ping the LAN interface
    > > of the remote router.
    > >
    > > Following a "trace" command I learned the router just sends its ICMP
    > > packets at its default gateway (interface dialer0, being this a
    > > PPPoE-type connection), where they are soon lost, being addressed to a
    > > private LAN.
    > >
    > > How can I tell my router to send packets addressed to my remote LANs
    > > towards the IPSec tunnels?
    > >
    > > Thanks for any suggestion.
    > >
    > >
    > > Mirko

    >
    > You want to source the ping from the lan interface via extended ping.
    > Type "ping ip" and hit enter. You will be prompted for more information,
    > including the source interface.
    >
    > Rik Bain
     
    Mirko, Jul 31, 2004
    #5
  6. Mirko

    Ivan Ostres Guest

    In article <L3SOc.62121$>,
    says...
    > Subject: Re: IPSec VPN OK, cannot ping from router to hosts on remote LAN
    > From: "Mirko" <>
    > Organization: TIN
    > Newsgroups: comp.dcom.sys.cisco
    >
    > Ivan,
    > you were right as both suggestions were necessary for this to work.
    >
    > I opened ICMP on inbound interface (dialer0) from "remote private LAN" to
    > "local private LAN".
    >
    > Being still unsuccesful in pinging the remote host from my router, I used
    > "extended ping" to specify ethernet0 as the source of the ICMP request. I
    > also used "debug ip ICMP" to gather useful informations.
    >
    > This worked as I started to receive echo replies from the remote hosts.
    >
    > Now I wonder: how does the IOS select the default interface to stamp its
    > ping packets with? Is it possible to have it changed to the ethernet0 by
    > default?
    >
    > Thanks for your advice.
    >
    >


    You don't have to use extended ping (all the options) to set the source
    address. You can do it directly:

    ping 1.2.3.4 source 1.1.1.1

    (this is from top of my head so it may be wrong, but ? will give you
    right syntax).

    You can also look at:

    ip ping ?

    output to see if it's possible to set source up. Sorry, I don't have any
    router close to me to check it out.


    --
    -Ivan.

    *** Use Rot13 to see my eMail address ***
     
    Ivan Ostres, Aug 1, 2004
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Paul Clancy
    Replies:
    2
    Views:
    5,051
  2. Paolo Bresi
    Replies:
    1
    Views:
    649
    Walter Roberson
    Apr 4, 2005
  3. spec
    Replies:
    7
    Views:
    1,337
    Peter
    Jun 5, 2006
  4. gipper
    Replies:
    7
    Views:
    19,647
    will.harder
    Oct 21, 2011
  5. louisa
    Replies:
    0
    Views:
    1,686
    louisa
    Dec 9, 2011
Loading...

Share This Page