PIX501 Site to Site ICMP Problem

Discussion in 'Cisco' started by btercha@omegasystemscorp.com, Dec 16, 2005.

  1. Guest

    Hello -

    I have a site to site VPN setup between our office and a couple of
    employee's homes. The problem that I am having is that the VPN tunnel
    will establish but we cannot ping anything on either subnets across the
    site to site VPN. I've made changes to the ACLs, used the 'icmp
    permit' command and even tried to use conduits but I cannot ping any
    hosts on the remote subnet across the VPN. I can however access our
    exchange, web and other servers without a problem. Below are copies of
    the configs. IP's, hostnames, passwords have been removed/changed for
    security reasons. Could somebody please tell me what is wrong with the
    config, or what needs to be changed so that we can ping from home to
    the office. Thanks.

    Office config:
    : Saved
    :
    PIX Version 6.3(5)
    interface ethernet0 auto
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password removed encrypted
    passwd removed encrypted
    hostname OfficePIX501
    domain-name office.com
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    access-list 100 permit ip 172.31.40.0 255.255.255.0 192.168.16.0
    255.255.255.24
    access-list 100 permit ip 172.31.40.0 255.255.255.0 192.168.2.0
    255.255.255.0
    access-list 100 permit ip 172.31.40.0 255.255.255.0 192.168.3.0
    255.255.255.0
    access-list 10 deny ip 127.0.0.0 255.0.0.0 any
    access-list 10 deny ip 169.254.0.0 255.255.0.0 any
    access-list 10 deny ip 172.16.0.0 255.255.0.0 any
    access-list 10 deny ip 224.0.0.0 224.0.0.0 any
    access-list 10 permit icmp any any echo-reply
    access-list 10 permit icmp any any time-exceeded
    access-list 10 permit icmp any any
    access-list 10 permit tcp any host 1.1.1.1 eq smtp
    access-list 10 permit tcp any host 1.1.1.1 eq 3389
    access-list 10 permit tcp any host 1.1.1.1 eq www
    access-list 10 permit tcp any host 1.1.1.1 eq https
    access-list 10 permit icmp any any unreachable
    access-list 10 permit icmp any any source-quench
    access-list 10 permit ip 192.168.2.0 255.255.255.0 172.31.40.0
    255.255.255.0
    access-list 10 permit icmp 192.168.2.0 255.255.255.0 172.31.40.0
    255.255.255.0
    access-list 110 permit ip 172.31.40.0 255.255.255.0 192.168.16.0
    255.255.255.0
    pager lines 24
    logging on
    logging timestamp
    logging console emergencies
    logging monitor emergencies
    logging buffered warnings
    logging trap debugging
    logging history debugging
    icmp permit any outside
    mtu outside 1400
    mtu inside 1500
    ip address outside 1.1.1.1 255.255.255.248
    ip address inside 172.31.40.1 255.255.255.0
    ip verify reverse-path interface outside
    ip verify reverse-path interface inside
    ip audit name jab attack action alarm drop reset
    ip audit name probe info action alarm drop reset
    ip audit interface outside probe
    ip audit interface outside jab
    ip audit info action alarm drop reset
    ip audit attack action alarm drop reset
    ip audit signature 2000 disable
    ip audit signature 2001 disable
    ip local pool vpnpool 192.168.16.5-192.168.16.10
    pdm logging informational 100
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list 100
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    static (inside,outside) tcp 1.1.1.1 smtp 172.31.40.250 smtp netmask
    255.25
    5.255.255 0 0
    static (inside,outside) tcp 1.1.1.1 www 172.31.40.250 www netmask
    255.255.
    255.255 0 0
    static (inside,outside) tcp 1.1.1.1 https 172.31.40.250 https netmask
    255.
    255.255.255 0 0
    static (inside,outside) tcp 1.1.1.1 3389 172.31.40.250 3389 netmask
    255.25
    5.255.255 0 0
    access-group 10 in interface outside
    route outside 0.0.0.0 0.0.0.0 1.1.1.2 1
    timeout xlate 0:05:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout sip-disconnect 0:02:00 sip-invite 0:03:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server LOCAL protocol local
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    crypto ipsec transform-set strong esp-3des esp-md5-hmac
    crypto dynamic-map dynmap 1 set transform-set strong
    crypto map dynmap1 10 ipsec-isakmp dynamic dynmap
    crypto map dynmap1 interface outside
    isakmp enable outside
    isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
    isakmp identity address
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption 3des
    isakmp policy 10 hash md5
    isakmp policy 10 group 1
    isakmp policy 10 lifetime 1000
    vpngroup vpnsetting address-pool vpnpool
    vpngroup vpnsetting dns-server 172.31.40.250
    vpngroup vpnsetting wins-server 172.31.40.250
    vpngroup vpnsetting default-domain removed.com
    vpngroup vpnsetting split-tunnel 110
    vpngroup vpnsetting idle-time 1800
    vpngroup vpnsetting password ********
    telnet 192.168.16.0 255.255.255.0 outside
    telnet 192.168.3.0 255.255.255.0 outside
    telnet 192.168.2.0 255.255.255.0 outside
    telnet 172.31.40.0 255.255.255.0 inside
    telnet timeout 60
    ssh 0.0.0.0 0.0.0.0 outside
    ssh timeout 60
    console timeout 0
    terminal width 80
    Cryptochecksum:71a838b1e54be2294e926ff2e449654c
    : end

    Home config:
    : Saved
    :
    PIX Version 6.3(5)
    interface ethernet0 auto
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password removed encrypted
    passwd removed encrypted
    hostname HomePIX501
    domain-name Homepix.net
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    access-list 100 permit ip 192.168.2.0 255.255.255.0 172.31.40.0
    255.255.255.0
    access-list 100 permit ip 192.168.2.0 255.255.255.0 192.168.3.0
    255.255.255.0
    access-list 10 deny ip 127.0.0.0 255.0.0.0 any
    access-list 10 deny ip 169.254.0.0 255.255.0.0 any
    access-list 10 deny ip 172.16.0.0 255.255.0.0 any
    access-list 10 deny ip 224.0.0.0 224.0.0.0 any
    access-list 10 permit icmp any any echo-reply
    access-list 10 permit icmp any any time-exceeded
    access-list 10 permit icmp any any
    access-list 10 permit icmp any any unreachable
    access-list 10 permit icmp any any source-quench
    access-list 10 permit ip 172.31.40.0 255.255.255.0 192.168.2.0
    255.255.255.0
    access-list 10 permit icmp 172.31.40.0 255.255.255.0 192.168.2.0
    255.255.255.0
    pager lines 24
    logging on
    logging timestamp
    logging console emergencies
    logging monitor emergencies
    logging buffered warnings
    logging trap debugging
    logging history debugging
    icmp permit any outside
    mtu outside 1500
    mtu inside 1500
    ip address outside dhcp setroute
    ip address inside 192.168.2.100 255.255.255.0
    ip verify reverse-path interface outside
    ip verify reverse-path interface inside
    ip audit name jab attack action alarm drop reset
    ip audit name probe info action alarm drop reset
    ip audit interface outside probe
    ip audit interface outside jab
    ip audit info action alarm drop reset
    ip audit attack action alarm drop reset
    ip audit signature 2000 disable
    ip audit signature 2001 disable
    pdm logging informational 100
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list 100
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    access-group 10 in interface outside
    timeout xlate 0:05:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout sip-disconnect 0:02:00 sip-invite 0:03:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server LOCAL protocol local
    http server enable
    http 172.31.40.0 255.255.255.0 outside
    http 192.168.2.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    crypto ipsec transform-set strong esp-3des esp-md5-hmac
    crypto map Home2Office 10 ipsec-isakmp
    crypto map Home2Office 10 match address 100
    crypto map Home2Office 10 set peer 72.245.146.34
    crypto map Home2Office 10 set transform-set strong
    crypto map Home2Office interface outside
    isakmp enable outside
    isakmp key ******** address 1.1.1.1 netmask 255.255.255.255
    isakmp identity address
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption 3des
    isakmp policy 10 hash md5
    isakmp policy 10 group 1
    isakmp policy 10 lifetime 1000
    telnet 192.168.16.0 255.255.255.0 outside
    telnet 192.168.3.0 255.255.255.0 outside
    telnet 172.31.40.0 255.255.255.0 outside
    telnet 0.0.0.0 0.0.0.0 outside
    telnet 192.168.2.0 255.255.255.0 inside
    telnet timeout 60
    ssh 0.0.0.0 0.0.0.0 outside
    ssh timeout 60
    console timeout 0
    dhcpd address 192.168.2.25-192.168.2.50 inside
    dhcpd dns 68.87.75.194 68.87.64.196
    dhcpd lease 3600
    dhcpd ping_timeout 750
    dhcpd auto_config outside
    dhcpd enable inside
    terminal width 80
    Cryptochecksum:39b99b97937befbb04d412cc69f09915
    : end

    Thank you for your help.
    , Dec 16, 2005
    #1
    1. Advertising

  2. In article <>,
    <> wrote:

    >I have a site to site VPN setup between our office and a couple of
    >employee's homes. The problem that I am having is that the VPN tunnel
    >will establish but we cannot ping anything on either subnets across the
    >site to site VPN.


    >Office config:
    >PIX Version 6.3(5)


    [rearranged]

    >access-list 110 permit ip 172.31.40.0 255.255.255.0 192.168.16.0 255.255.255.0
    >vpngroup vpnsetting split-tunnel 110


    Your split tunnel is for 192.168.16.x on the client side and
    172.31.40.x on the server side to go through the tunnel.

    >ip local pool vpnpool 192.168.16.5-192.168.16.10
    >vpngroup vpnsetting address-pool vpnpool


    This agrees with the client side address for the split tunnel.

    >access-list 100 permit ip 172.31.40.0 255.255.255.0 192.168.16.0 255.255.255.24
    >access-list 100 permit ip 172.31.40.0 255.255.255.0 192.168.2.0 255.255.255.0
    >access-list 100 permit ip 172.31.40.0 255.255.255.0 192.168.3.0 255.255.255.0
    >nat (inside) 0 access-list 100


    This ACL is read as 172.31.40.x on the PIX side and a few other things
    on the remote side, and turns off address translation for those flows.

    The 192.168.2.x and 192.168.3.x destinations are irrelevant for the
    problem being investigated, so focus on the other line:

    access-list 100 permit ip 172.31.40.0 255.255.255.0 192.168.16.0 255.255.255.24

    Is this line consistant with 172.31.40.x on the PIX side and
    192.168.16.x on the client side? No! This line is for
    192.168.16.0 - 192.168.16.7, .32 - .39, .64 - .71, .96 - .103,
    ..128 - .135, .160 - .167, .192 - .199, and .224 - .231


    If a 0 accidently got dropped in the posting and the line is really
    access-list 100 permit ip 172.31.40.0 255.255.255.0 192.168.16.0 255.255.255.240

    then it covers 192.168.16.0 - 192.168.16.15 which does cover the complete
    allocated address pool, but is not consistant with the split tunnel.
    --
    "No one has the right to destroy another person's belief by
    demanding empirical evidence." -- Ann Landers
    Walter Roberson, Dec 16, 2005
    #2
    1. Advertising

  3. Guest

    Thanks, I've made changes to the config, its posted below.

    : Saved
    :
    PIX Version 6.3(5)
    interface ethernet0 auto
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password removed encrypted
    passwd removed encrypted
    hostname OfficePIX501
    domain-name office.com
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    access-list 100 permit ip 172.31.40.0 255.255.255.0 192.168.2.0
    255.255.255.0
    access-list 100 permit ip 172.31.40.0 255.255.255.0 192.168.3.0
    255.255.255.0
    access-list 100 permit ip 172.31.40.0 255.255.255.0 192.168.16.0
    255.255.255.0
    access-list 10 deny ip 127.0.0.0 255.0.0.0 any
    access-list 10 deny ip 169.254.0.0 255.255.0.0 any
    access-list 10 deny ip 172.16.0.0 255.255.0.0 any
    access-list 10 deny ip 224.0.0.0 224.0.0.0 any
    access-list 10 permit icmp any any echo-reply
    access-list 10 permit icmp any any time-exceeded
    access-list 10 permit icmp any any
    access-list 10 permit tcp any host 1.1.1.1 eq smtp
    access-list 10 permit tcp any host 1.1.1.1 eq 3389
    access-list 10 permit tcp any host 1.1.1.1 eq www
    access-list 10 permit tcp any host 1.1.1.1 eq https
    access-list 10 permit icmp any any unreachable
    access-list 10 permit icmp any any source-quench
    access-list 10 permit ip 192.168.2.0 255.255.255.0 172.31.40.0
    255.255.255.0
    access-list 10 permit icmp 192.168.2.0 255.255.255.0 172.31.40.0
    255.255.255.0
    access-list 110 permit ip 172.31.40.0 255.255.255.0 192.168.16.0
    255.255.255.0
    access-list 110 permit ip 172.31.40.0 255.255.255.0 192.168.2.0
    255.255.255.0
    access-list 110 permit ip 172.31.40.0 255.255.255.0 192.168.3.0
    255.255.255.0
    pager lines 24
    logging on
    logging timestamp
    logging console emergencies
    logging monitor emergencies
    logging buffered warnings
    logging trap debugging
    logging history debugging
    icmp permit any outside
    mtu outside 1400
    mtu inside 1500
    ip address outside 1.1.1.1 255.255.255.248
    ip address inside 172.31.40.1 255.255.255.0
    ip verify reverse-path interface outside
    ip verify reverse-path interface inside
    ip audit name jab attack action alarm drop reset
    ip audit name probe info action alarm drop reset
    ip audit interface outside probe
    ip audit interface outside jab
    ip audit info action alarm drop reset
    ip audit attack action alarm drop reset
    ip audit signature 2000 disable
    ip audit signature 2001 disable
    ip local pool vpnpool 192.168.16.5-192.168.16.10
    pdm logging informational 100
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list 100
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    static (inside,outside) tcp 1.1.1.1 smtp 172.31.40.250 smtp netmask
    255.25
    5.255.255 0 0
    static (inside,outside) tcp 1.1.1.1 www 172.31.40.250 www netmask
    255.255.
    255.255 0 0
    static (inside,outside) tcp 1.1.1.1 https 172.31.40.250 https netmask
    255.
    255.255.255 0 0
    static (inside,outside) tcp 1.1.1.1 3389 172.31.40.250 3389 netmask
    255.25
    5.255.255 0 0
    access-group 10 in interface outside
    route outside 0.0.0.0 0.0.0.0 1.1.1.2 1
    timeout xlate 0:05:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout sip-disconnect 0:02:00 sip-invite 0:03:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server LOCAL protocol local
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    crypto ipsec transform-set strong esp-3des esp-md5-hmac
    crypto dynamic-map dynmap 1 set transform-set strong
    crypto map dynmap1 10 ipsec-isakmp dynamic dynmap
    crypto map dynmap1 interface outside
    isakmp enable outside
    isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
    isakmp identity address
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption 3des
    isakmp policy 10 hash md5
    isakmp policy 10 group 1
    isakmp policy 10 lifetime 1000
    vpngroup vpnsetting address-pool vpnpool
    vpngroup vpnsetting dns-server 172.31.40.250
    vpngroup vpnsetting wins-server 172.31.40.250
    vpngroup vpnsetting default-domain removed.com
    vpngroup vpnsetting split-tunnel 110
    vpngroup vpnsetting idle-time 1800
    vpngroup vpnsetting password ********
    telnet 192.168.16.0 255.255.255.0 outside
    telnet 192.168.3.0 255.255.255.0 outside
    telnet 192.168.2.0 255.255.255.0 outside
    telnet 172.31.40.0 255.255.255.0 inside
    telnet timeout 60
    ssh 0.0.0.0 0.0.0.0 outside
    ssh timeout 60
    console timeout 0
    terminal width 80
    Cryptochecksum:71a838b1e54be2294e926ff2e449654c
    : end

    I'm not concerned with the 192.168.16.0/24 subnet right now, that is
    used when people connect using the VPN client software. The problem I
    am trying to get to the bottom of is that you cannot ping between the
    172.31.40.0/24 and 192.168.2.0/24 IP subnets. I can telnet, RDP, web
    browse, so the VPN tunnel is establishing and passing traffic, but I
    cannot ping. It is very frustrating. When I do a show log on either
    side I see the following:

    Office:
    400014: IDS:2004 ICMP echo request from 192.168.2.55 to 172.31.40.250
    on interfa
    ce outside
    400014: IDS:2004 ICMP echo request from 192.168.2.55 to 172.31.40.250
    on interfa
    ce outside
    400014: IDS:2004 ICMP echo request from 192.168.2.55 to 172.31.40.250
    on interfa
    ce outside

    Home:
    400014: IDS:2004 ICMP echo request from 172.31.40.51 to 192.168.2.55 on
    interface outside
    400014: IDS:2004 ICMP echo request from 172.31.40.51 to 192.168.2.55 on
    interface outside

    All of the IPs above are valid and respond to ICMP within the same
    subnet.

    Any more ideas?
    , Dec 16, 2005
    #3
  4. Wayne Guest

    Wayne, Dec 16, 2005
    #4
  5. Guest

    No luck, I ended up disabling IDS Policy '2004 ICMP Echo request'

    'ip audit signature 2004 disable'

    This allowed ping from subnet to subnet through the VPN.

    Thanks for everyone's help.
    , Dec 16, 2005
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Jens Meyer

    PIX501 ICMP configuration

    Jens Meyer, Dec 18, 2003, in forum: Cisco
    Replies:
    2
    Views:
    569
    Jens Meyer
    Dec 18, 2003
  2. Jens Meyer
    Replies:
    4
    Views:
    1,655
    Rik Bain
    Dec 22, 2003
  3. Scott Townsend
    Replies:
    2
    Views:
    10,095
    Scott Townsend
    May 4, 2006
  4. Rick
    Replies:
    1
    Views:
    345
    Brian V
    Nov 20, 2006
  5. Replies:
    1
    Views:
    649
    Mike Gauthier
    Sep 10, 2007
Loading...

Share This Page