IPSec VPN OK, cannot ping from router to hosts on remote LAN

Discussion in 'Cisco' started by Mirko, Jul 30, 2004.

  1. Mirko

    Mirko Guest

    I realized a star shaped VPN among a Cisco 837 (hub) and a bunch of cheap
    Zyxels 652 (remotes).

    I am able to establish ICMP communications (send receive) among hosts on a
    given LAN and hosts on the other LAN. Other protocols and applications also
    work correctly (UDP/TCP, remote control software, data transfer software
    etc.).

    I realized I could not do the same from my Cisco router, i.e. it cannot ping
    any hosts on the remote LAN. I cannot even ping the LAN interface of the
    remote router.

    Following a "trace" command I learned the router just sends its ICMP packets
    at its default gateway (interface dialer0, being this a PPPoE-type
    connection), where they are soon lost, being addressed to a private LAN.

    How can I tell my router to send packets addressed to my remote LANs towards
    the IPSec tunnels?

    Thanks for any suggestion.


    Mirko
     
    Mirko, Jul 30, 2004
    #1
    1. Advertisements

  2. Mirko

    Ivan Ostres Guest

    You need to specify your routers (ping source) address in your crypto
    access list. You also need to be sure which address is your source
    address when you ping from the router (it is possible to specify source
    address using extended ping).
     
    Ivan Ostres, Jul 30, 2004
    #2
    1. Advertisements

  3. Mirko

    Rik Bain Guest

    You want to source the ping from the lan interface via extended ping.
    Type "ping ip" and hit enter. You will be prompted for more information,
    including the source interface.

    Rik Bain
     
    Rik Bain, Jul 30, 2004
    #3
  4. Mirko

    Mirko Guest

    Ivan,
    you were right as both suggestions were necessary for this to work.

    I opened ICMP on inbound interface (dialer0) from "remote private LAN" to
    "local private LAN".

    Being still unsuccesful in pinging the remote host from my router, I used
    "extended ping" to specify ethernet0 as the source of the ICMP request. I
    also used "debug ip ICMP" to gather useful informations.

    This worked as I started to receive echo replies from the remote hosts.

    Now I wonder: how does the IOS select the default interface to stamp its
    ping packets with? Is it possible to have it changed to the ethernet0 by
    default?

    Thanks for your advice.


    Mirko
     
    Mirko, Jul 31, 2004
    #4
  5. Mirko

    Mirko Guest

    Thanks Rik I tried it and by also opening the firewall to ICMP replies it
    worked well.

    Mirko
     
    Mirko, Jul 31, 2004
    #5
  6. Mirko

    Ivan Ostres Guest

    You don't have to use extended ping (all the options) to set the source
    address. You can do it directly:

    ping 1.2.3.4 source 1.1.1.1

    (this is from top of my head so it may be wrong, but ? will give you
    right syntax).

    You can also look at:

    ip ping ?

    output to see if it's possible to set source up. Sorry, I don't have any
    router close to me to check it out.
     
    Ivan Ostres, Aug 1, 2004
    #6
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.