Ping does not work inside the VPN tunnel

Discussion in 'Cisco' started by mwa@mwa.dk, Sep 8, 2006.

  1. Guest

    Hi there,

    I am trying to set up a VPN-tunnel on an internal network.
    I have two PIX 501. But I can not get any communication between the two
    “green/internal†networks to work.

    PIX A:
    Local(inside) IP: 192.168.1.11/24
    Outside IP: 10.0.0.11/24

    PIX B:
    Local(inside) IP: 192.168.2.12/24
    Outside IP: 10.0.0.12/24

    I have made a Site-to-Site VPN tunnel:
    10.0.0.11 --- 10.0.0.12
    The tunnel seems to work (VPN light it on).

    There are servers on the inside LAN on both PIX-firewalls, but they can
    not ping each other.
    What have I missed… some thing about routing?

    PIX A:
    Building configuration...
    : Saved
    :
    PIX Version 6.3(5)
    interface ethernet0 auto
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password 8Ry2YjIyt7RRXU24 encrypted
    passwd RLPMUQ26KL4blgFN encrypted
    hostname PIX2
    domain-name ciscopix.com
    clock timezone CEST 1
    clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    access-list inside_outbound_nat0_acl permit ip any any
    access-list outside_cryptomap_20 permit ip any any
    pager lines 24
    mtu outside 1500
    mtu inside 1500
    ip address outside 10.0.0.12 255.255.255.0
    ip address inside 192.168.2.12 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    pdm location 192.168.2.0 255.255.255.0 inside
    pdm location 192.168.3.0 255.255.255.0 inside
    pdm location 192.168.1.0 255.255.255.0 inside
    pdm location 192.168.1.0 255.255.255.0 outside
    pdm logging informational 100
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list inside_outbound_nat0_acl
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    route outside 192.168.1.0 255.255.255.0 10.0.0.11 1
    timeout xlate 0:05:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout sip-disconnect 0:02:00 sip-invite 0:03:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server LOCAL protocol local
    http server enable
    http 192.168.1.0 255.255.255.0 inside
    http 192.168.2.0 255.255.255.0 inside
    http 192.168.3.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto map outside_map 20 ipsec-isakmp
    crypto map outside_map 20 match address outside_cryptomap_20
    crypto map outside_map 20 set peer 10.0.0.11
    crypto map outside_map 20 set transform-set ESP-3DES-MD5
    crypto map outside_map interface outside
    isakmp enable outside
    isakmp key ******** address 10.0.0.11 netmask 255.255.255.255 no-xauth
    no-config-mode
    isakmp policy 20 authentication pre-share
    isakmp policy 20 encryption 3des
    isakmp policy 20 hash md5
    isakmp policy 20 group 2
    isakmp policy 20 lifetime 86400
    telnet 192.168.2.0 255.255.255.0 inside
    telnet timeout 20
    ssh timeout 5
    management-access inside
    console timeout 0
    dhcpd address 192.168.2.200-192.168.2.220 inside
    dhcpd lease 3600
    dhcpd ping_timeout 750
    dhcpd auto_config outside
    dhcpd enable inside
    terminal width 80
    Cryptochecksum:7564dd1d4a16218858b5d4c8f8c2c2ae
    : end
    [OK]



    PIX B:
    Building configuration...
    : Saved
    :
    PIX Version 6.3(5)
    interface ethernet0 auto
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password 8Ry2YjIyt7RRXU24 encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    hostname PIX1
    domain-name ciscopix.com
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    access-list inside_outbound_nat0_acl permit ip any any
    access-list outside_cryptomap_20 permit ip any any
    pager lines 24
    mtu outside 1500
    mtu inside 1500
    ip address outside 10.0.0.11 255.255.255.0
    ip address inside 192.168.1.11 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    pdm logging informational 100
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list inside_outbound_nat0_acl
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    timeout xlate 0:05:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout sip-disconnect 0:02:00 sip-invite 0:03:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server LOCAL protocol local
    http server enable
    http 192.168.1.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto map outside_map 20 ipsec-isakmp
    crypto map outside_map 20 match address outside_cryptomap_20
    crypto map outside_map 20 set peer 10.0.0.12
    crypto map outside_map 20 set transform-set ESP-3DES-MD5
    crypto map outside_map interface outside
    isakmp enable outside
    isakmp key ******** address 10.0.0.12 netmask 255.255.255.255 no-xauth
    no-config-mode
    isakmp policy 20 authentication pre-share
    isakmp policy 20 encryption 3des
    isakmp policy 20 hash md5
    isakmp policy 20 group 2
    isakmp policy 20 lifetime 86400
    telnet 192.168.1.0 255.255.255.0 inside
    telnet timeout 5
    ssh timeout 5
    management-access inside
    console timeout 0
    dhcpd address 192.168.1.100-192.168.1.120 inside
    dhcpd lease 3600
    dhcpd ping_timeout 750
    dhcpd auto_config outside
    dhcpd enable inside
    terminal width 80
    Cryptochecksum:004eaf74a2add545b6d245f809550407
    : end
    [OK]
    , Sep 8, 2006
    #1
    1. Advertising

  2. response3 Guest

    Well your config looks good with one exception. It appears that in
    your access lists for defining interesting traffic and NAT exemption,
    you are trying to pass all traffic between the VPN without NAT by using
    the ip any any statement. Are you able to get internet traffic through
    these firewalls? Try this instead of your ACL statements.

    PIX A
    access-list inside_outbound_nat0_acl remark Define interesting traffic
    for VPN to PIX B
    access-list outside_cryptomap_20 permit ip 192.168.1.0 255.255.255.0
    192.168.2.0 255.255.255.0

    access-list inside_outbound_nat0_acl remark Exempt VPN traffic to PIX B
    access-list inside_outbound_nat0_acl permit ip 192.168.1.0
    255.255.255.0 192.168.2.0 255.255.255.0

    Pix B
    access-list inside_outbound_nat0_acl remark Define interesting traffic
    for VPN to PIX A
    access-list outside_cryptomap_20 permit ip 192.168.2.0 255.255.255.0
    192.168.1.0 255.255.255.0

    access-list inside_outbound_nat0_acl remark Exempt VPN traffic to PIX A
    access-list inside_outbound_nat0_acl permit ip 192.168.2.0
    255.255.255.0 192.168.1.0 255.255.255.0

    -B

    wrote:
    > Hi there,
    >
    > I am trying to set up a VPN-tunnel on an internal network.
    > I have two PIX 501. But I can not get any communication between the two
    > “green/internal†networks to work.
    >
    > PIX A:
    > Local(inside) IP: 192.168.1.11/24
    > Outside IP: 10.0.0.11/24
    >
    > PIX B:
    > Local(inside) IP: 192.168.2.12/24
    > Outside IP: 10.0.0.12/24
    >
    > I have made a Site-to-Site VPN tunnel:
    > 10.0.0.11 --- 10.0.0.12
    > The tunnel seems to work (VPN light it on).
    >
    > There are servers on the inside LAN on both PIX-firewalls, but they can
    > not ping each other.
    > What have I missed… some thing about routing?
    >
    > PIX A:
    > Building configuration...
    > : Saved
    > :
    > PIX Version 6.3(5)
    > interface ethernet0 auto
    > interface ethernet1 100full
    > nameif ethernet0 outside security0
    > nameif ethernet1 inside security100
    > enable password 8Ry2YjIyt7RRXU24 encrypted
    > passwd RLPMUQ26KL4blgFN encrypted
    > hostname PIX2
    > domain-name ciscopix.com
    > clock timezone CEST 1
    > clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
    > fixup protocol dns maximum-length 512
    > fixup protocol ftp 21
    > fixup protocol h323 h225 1720
    > fixup protocol h323 ras 1718-1719
    > fixup protocol http 80
    > fixup protocol rsh 514
    > fixup protocol rtsp 554
    > fixup protocol sip 5060
    > fixup protocol sip udp 5060
    > fixup protocol skinny 2000
    > fixup protocol smtp 25
    > fixup protocol sqlnet 1521
    > fixup protocol tftp 69
    > names
    > access-list inside_outbound_nat0_acl permit ip any any
    > access-list outside_cryptomap_20 permit ip any any
    > pager lines 24
    > mtu outside 1500
    > mtu inside 1500
    > ip address outside 10.0.0.12 255.255.255.0
    > ip address inside 192.168.2.12 255.255.255.0
    > ip audit info action alarm
    > ip audit attack action alarm
    > pdm location 192.168.2.0 255.255.255.0 inside
    > pdm location 192.168.3.0 255.255.255.0 inside
    > pdm location 192.168.1.0 255.255.255.0 inside
    > pdm location 192.168.1.0 255.255.255.0 outside
    > pdm logging informational 100
    > pdm history enable
    > arp timeout 14400
    > global (outside) 1 interface
    > nat (inside) 0 access-list inside_outbound_nat0_acl
    > nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    > route outside 192.168.1.0 255.255.255.0 10.0.0.11 1
    > timeout xlate 0:05:00
    > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    > 1:00:00
    > timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    > timeout sip-disconnect 0:02:00 sip-invite 0:03:00
    > timeout uauth 0:05:00 absolute
    > aaa-server TACACS+ protocol tacacs+
    > aaa-server TACACS+ max-failed-attempts 3
    > aaa-server TACACS+ deadtime 10
    > aaa-server RADIUS protocol radius
    > aaa-server RADIUS max-failed-attempts 3
    > aaa-server RADIUS deadtime 10
    > aaa-server LOCAL protocol local
    > http server enable
    > http 192.168.1.0 255.255.255.0 inside
    > http 192.168.2.0 255.255.255.0 inside
    > http 192.168.3.0 255.255.255.0 inside
    > no snmp-server location
    > no snmp-server contact
    > snmp-server community public
    > no snmp-server enable traps
    > floodguard enable
    > sysopt connection permit-ipsec
    > crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    > crypto map outside_map 20 ipsec-isakmp
    > crypto map outside_map 20 match address outside_cryptomap_20
    > crypto map outside_map 20 set peer 10.0.0.11
    > crypto map outside_map 20 set transform-set ESP-3DES-MD5
    > crypto map outside_map interface outside
    > isakmp enable outside
    > isakmp key ******** address 10.0.0.11 netmask 255.255.255.255 no-xauth
    > no-config-mode
    > isakmp policy 20 authentication pre-share
    > isakmp policy 20 encryption 3des
    > isakmp policy 20 hash md5
    > isakmp policy 20 group 2
    > isakmp policy 20 lifetime 86400
    > telnet 192.168.2.0 255.255.255.0 inside
    > telnet timeout 20
    > ssh timeout 5
    > management-access inside
    > console timeout 0
    > dhcpd address 192.168.2.200-192.168.2.220 inside
    > dhcpd lease 3600
    > dhcpd ping_timeout 750
    > dhcpd auto_config outside
    > dhcpd enable inside
    > terminal width 80
    > Cryptochecksum:7564dd1d4a16218858b5d4c8f8c2c2ae
    > : end
    > [OK]
    >
    >
    >
    > PIX B:
    > Building configuration...
    > : Saved
    > :
    > PIX Version 6.3(5)
    > interface ethernet0 auto
    > interface ethernet1 100full
    > nameif ethernet0 outside security0
    > nameif ethernet1 inside security100
    > enable password 8Ry2YjIyt7RRXU24 encrypted
    > passwd 2KFQnbNIdI.2KYOU encrypted
    > hostname PIX1
    > domain-name ciscopix.com
    > fixup protocol dns maximum-length 512
    > fixup protocol ftp 21
    > fixup protocol h323 h225 1720
    > fixup protocol h323 ras 1718-1719
    > fixup protocol http 80
    > fixup protocol rsh 514
    > fixup protocol rtsp 554
    > fixup protocol sip 5060
    > fixup protocol sip udp 5060
    > fixup protocol skinny 2000
    > fixup protocol smtp 25
    > fixup protocol sqlnet 1521
    > fixup protocol tftp 69
    > names
    > access-list inside_outbound_nat0_acl permit ip any any
    > access-list outside_cryptomap_20 permit ip any any
    > pager lines 24
    > mtu outside 1500
    > mtu inside 1500
    > ip address outside 10.0.0.11 255.255.255.0
    > ip address inside 192.168.1.11 255.255.255.0
    > ip audit info action alarm
    > ip audit attack action alarm
    > pdm logging informational 100
    > pdm history enable
    > arp timeout 14400
    > global (outside) 1 interface
    > nat (inside) 0 access-list inside_outbound_nat0_acl
    > nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    > timeout xlate 0:05:00
    > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    > 1:00:00
    > timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    > timeout sip-disconnect 0:02:00 sip-invite 0:03:00
    > timeout uauth 0:05:00 absolute
    > aaa-server TACACS+ protocol tacacs+
    > aaa-server TACACS+ max-failed-attempts 3
    > aaa-server TACACS+ deadtime 10
    > aaa-server RADIUS protocol radius
    > aaa-server RADIUS max-failed-attempts 3
    > aaa-server RADIUS deadtime 10
    > aaa-server LOCAL protocol local
    > http server enable
    > http 192.168.1.0 255.255.255.0 inside
    > no snmp-server location
    > no snmp-server contact
    > snmp-server community public
    > no snmp-server enable traps
    > floodguard enable
    > sysopt connection permit-ipsec
    > crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    > crypto map outside_map 20 ipsec-isakmp
    > crypto map outside_map 20 match address outside_cryptomap_20
    > crypto map outside_map 20 set peer 10.0.0.12
    > crypto map outside_map 20 set transform-set ESP-3DES-MD5
    > crypto map outside_map interface outside
    > isakmp enable outside
    > isakmp key ******** address 10.0.0.12 netmask 255.255.255.255 no-xauth
    > no-config-mode
    > isakmp policy 20 authentication pre-share
    > isakmp policy 20 encryption 3des
    > isakmp policy 20 hash md5
    > isakmp policy 20 group 2
    > isakmp policy 20 lifetime 86400
    > telnet 192.168.1.0 255.255.255.0 inside
    > telnet timeout 5
    > ssh timeout 5
    > management-access inside
    > console timeout 0
    > dhcpd address 192.168.1.100-192.168.1.120 inside
    > dhcpd lease 3600
    > dhcpd ping_timeout 750
    > dhcpd auto_config outside
    > dhcpd enable inside
    > terminal width 80
    > Cryptochecksum:004eaf74a2add545b6d245f809550407
    > : end
    > [OK]
    response3, Sep 9, 2006
    #2
    1. Advertising

  3. Dom Guest

    On Fri, 2006-09-08 at 14:48 -0700, wrote:
    > I have made a Site-to-Site VPN tunnel:
    > 10.0.0.11 --- 10.0.0.12
    > The tunnel seems to work (VPN light it on).
    >
    > There are servers on the inside LAN on both PIX-firewalls, but they can
    > not ping each other.


    > ip address outside 10.0.0.12 255.255.255.0
    > ip address inside 192.168.2.12 255.255.255.0
    > route outside 192.168.1.0 255.255.255.0 10.0.0.11 1


    > ip address outside 10.0.0.11 255.255.255.0
    > ip address inside 192.168.1.11 255.255.255.0


    Didn't see a route on this one.
    Dom, Sep 9, 2006
    #3
  4. response3 Guest

    Dom wrote:
    > On Fri, 2006-09-08 at 14:48 -0700, wrote:
    > > I have made a Site-to-Site VPN tunnel:
    > > 10.0.0.11 --- 10.0.0.12
    > > The tunnel seems to work (VPN light it on).
    > >
    > > There are servers on the inside LAN on both PIX-firewalls, but they can
    > > not ping each other.

    >
    > > ip address outside 10.0.0.12 255.255.255.0
    > > ip address inside 192.168.2.12 255.255.255.0
    > > route outside 192.168.1.0 255.255.255.0 10.0.0.11 1

    >
    > > ip address outside 10.0.0.11 255.255.255.0
    > > ip address inside 192.168.1.11 255.255.255.0

    >
    > Didn't see a route on this one.


    Good catch. That's probably the problem. Change the route statement
    to:

    route outside 0.0.0.0 0.0.0.0 <ISP or next hop router IP>

    Do this for both firewalls, just be sure to put in the correct next hop
    IP for each site. This way all traffic not directly connected will get
    forwarded out the outside interface, NAT'd or not, and then encrypted
    if it matches your interesting traffic ACLs.

    - B
    response3, Sep 9, 2006
    #4
  5. Guest

    Thank you all for your help :)

    Best Regards
    Martin


    response3 wrote:
    > Dom wrote:
    > > On Fri, 2006-09-08 at 14:48 -0700, wrote:
    > > > I have made a Site-to-Site VPN tunnel:
    > > > 10.0.0.11 --- 10.0.0.12
    > > > The tunnel seems to work (VPN light it on).
    > > >
    > > > There are servers on the inside LAN on both PIX-firewalls, but they can
    > > > not ping each other.

    > >
    > > > ip address outside 10.0.0.12 255.255.255.0
    > > > ip address inside 192.168.2.12 255.255.255.0
    > > > route outside 192.168.1.0 255.255.255.0 10.0.0.11 1

    > >
    > > > ip address outside 10.0.0.11 255.255.255.0
    > > > ip address inside 192.168.1.11 255.255.255.0

    > >
    > > Didn't see a route on this one.

    >
    > Good catch. That's probably the problem. Change the route statement
    > to:
    >
    > route outside 0.0.0.0 0.0.0.0 <ISP or next hop router IP>
    >
    > Do this for both firewalls, just be sure to put in the correct next hop
    > IP for each site. This way all traffic not directly connected will get
    > forwarded out the outside interface, NAT'd or not, and then encrypted
    > if it matches your interesting traffic ACLs.
    >
    > - B
    , Sep 9, 2006
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. a.nonny mouse
    Replies:
    2
    Views:
    1,075
  2. Tim Fortea
    Replies:
    2
    Views:
    990
  3. Replies:
    6
    Views:
    29,191
  4. Trouble
    Replies:
    0
    Views:
    574
    Trouble
    Aug 4, 2006
  5. Trouble
    Replies:
    1
    Views:
    520
Loading...

Share This Page