Pix 501 Icmp over VPN

Discussion in 'Cisco' started by Yvick, May 20, 2005.

  1. Yvick

    Yvick Guest

    Hello everyone,

    I have set up a IPsec tunnel between 2 Pix 501.
    I have accepted ICMP for both interface.
    I have opened up the firewall inside and outside to ICMP and IP flux
    from anywhere to anywhere.

    The ipsec tunnels were OK, as soon as I opened up the ports, the IPSec
    went down (ISAKMP is still up).

    I can ping outside addresses but I cannot ping within the firewall to
    any address, including the IP of the inside interface on the other end
    of the tunnel.

    I've done a fair bit of VPN set ups in the last few years,including a
    worldwide set up with Cisco 2600 concentrator and over 100 Cisco SOHOs
    on remote sites. With all my experience, theis Pix gizmo has me
    stunned. This is by far the most complicated and obscure OS I have ever
    seen.

    Just about to throw the whole thing out of the window and give my
    client his money back ! HHHEEEEEEELLLLLLLLP !
     
    Yvick, May 20, 2005
    #1
    1. Advertising

  2. In article <>,
    Yvick <> wrote:
    :I have set up a IPsec tunnel between 2 Pix 501.
    :I have accepted ICMP for both interface.
    :I have opened up the firewall inside and outside to ICMP and IP flux
    :from anywhere to anywhere.

    I do not understand about "IP flux" ?

    :The ipsec tunnels were OK, as soon as I opened up the ports, the IPSec
    :went down (ISAKMP is still up).

    I have some hypotheses about probable configuration errors, but rather
    than my writing them all up, please post a sanitized configuration and
    we can point to particular parts of it.


    :I can ping outside addresses but I cannot ping within the firewall to
    :any address, including the IP of the inside interface on the other end
    :eek:f the tunnel.

    You can only ping to the "nearest" interface of a PIX, unless
    you have defined a VPN tunnel as a "management" interface.
    --
    Look out, there are llamas!
     
    Walter Roberson, May 20, 2005
    #2
    1. Advertising

  3. Yvick

    Yvick Guest

    Walter Roberson a écrit :
    > In article <>,
    > Yvick <> wrote:
    > :I have set up a IPsec tunnel between 2 Pix 501.
    > :I have accepted ICMP for both interface.
    > :I have opened up the firewall inside and outside to ICMP and IP flux
    > :from anywhere to anywhere.
    >
    > I do not understand about "IP flux" ?


    I mean all packets in and out that correspond to an IP protocol ( which
    includes ICMP if I'm not mistaken ...)
    >
    > :The ipsec tunnels were OK, as soon as I opened up the ports, the IPSec
    > :went down (ISAKMP is still up).
    >
    > I have some hypotheses about probable configuration errors, but rather
    > than my writing them all up, please post a sanitized configuration and
    > we can point to particular parts of it.


    Got that working at last. It was a configuration error.
    >
    >
    > :I can ping outside addresses but I cannot ping within the firewall to
    > :any address, including the IP of the inside interface on the other end
    > :eek:f the tunnel.
    >
    > You can only ping to the "nearest" interface of a PIX, unless
    > you have defined a VPN tunnel as a "management" interface.
    > --
    > Look out, there are llamas!


    This is where my understanding collapses.
    My set up is as follows:

    pcLAN1 --> Router (contains a static route for LAN2 with gateway
    indicating Pix 501 LAN1) --> Pix 501 LAN1 <##############IPSec
    Tunnel#############> Pix 501 LAN2 <--> Router ((contains a static route
    with gateway indicating Pix 501 LAN2) <--> pcLAN2

    -- From Pix 501 LAN1 and Pix 501 LAN2 I can ping from the outside
    interface to the world.
    -- From Pix 501 LAN1 and Pix 501 LAN2 I can ping from the inside
    interface to the opposite Pix 501 Inside interface and to the opposite
    router LAN Interface.
    ---From Pix 501 LAN1 and Pix 501 LAN2 I CANNOT ping from the inside
    interface to any of the machines (in the example pcLANx) on the
    opposite network.

    I have enable an access-list to allow reply packets from anywhere to
    accepted by the outside interface in.

    Is this clear enough ? Thanks for your help ...

    Y
     
    Yvick, May 30, 2005
    #3
  4. In article <>,
    Yvick <> wrote:

    :pcLAN1 --> Router (contains a static route for LAN2 with gateway
    :indicating Pix 501 LAN1) --> Pix 501 LAN1 <##############IPSec
    :Tunnel#############> Pix 501 LAN2 <--> Router ((contains a static route
    :with gateway indicating Pix 501 LAN2) <--> pcLAN2

    :-- From Pix 501 LAN1 and Pix 501 LAN2 I can ping from the outside
    :interface to the world.
    :-- From Pix 501 LAN1 and Pix 501 LAN2 I can ping from the inside
    :interface to the opposite Pix 501 Inside interface and to the opposite
    :router LAN Interface.

    If you can ping to the inside interface of the opposite PIX then either
    you have some strange routing or some additional topology not shown
    here (e.g., a VPN concentrator), or you have defined the VPN tunnel
    as being a management tunnel.

    :---From Pix 501 LAN1 and Pix 501 LAN2 I CANNOT ping from the inside
    :interface to any of the machines (in the example pcLANx) on the
    :eek:pposite network.

    That would be consistant with having defined the tunnel as a management
    tunnel. When you define a management tunnel, you are only allowed to
    reach the remote PIX itself (no matter what the crypto ACL says.)
    --
    "No one has the right to destroy another person's belief by
    demanding empirical evidence." -- Ann Landers
     
    Walter Roberson, May 30, 2005
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Andre
    Replies:
    7
    Views:
    805
    Andre
    Feb 20, 2005
  2. Replies:
    2
    Views:
    1,902
  3. Scott Townsend
    Replies:
    2
    Views:
    10,236
    Scott Townsend
    May 4, 2006
  4. Replies:
    2
    Views:
    733
    Rohan
    Nov 18, 2006
  5. Theo Markettos

    VOIP over VPN over TCP over WAP over 3G

    Theo Markettos, Feb 3, 2008, in forum: UK VOIP
    Replies:
    2
    Views:
    1,064
    Theo Markettos
    Feb 14, 2008
Loading...

Share This Page