Advertisement

05.07.2008 at 04:03AM PDT, ID: 23382289 | Points: 250
[x]
Attachment Details
Can't ping anything through a VPN Pix to Pix  tunnel
Zones: IPSec Security Protocol, Virtual Private Networking (VPN), Cisco PIX Firewall
Hello everybody,

I build a VPN tunnel between 2 Cisco Pix 506e.
My tunnel is up and my users from the both side can access to ressources but I can't ping machine or server from both side. I can telnet every equipment from both side but no ping and tracert displays nothing. I tried so many things but no one work.

See below configuration of my 2 pix :
Head Office

PIX Version 6.3(5)

access-list inside_outbound_nat0_acl permit ip HeadOffice 255.255.240.0 Branch_Site 255.255.255.0
access-list inside_outbound_nat0_acl permit ip Company_Network 255.255.0.0 Branch_Site 255.255.255.0

access-list inside_access_in permit ip any any

access-list outside_cryptomap_70 permit icmp any any
access-list outside_cryptomap_70 permit ip HeadOffice 255.255.240.0 Branch_Site 255.255.255.0
access-list outside_cryptomap_70 permit ip Company_Network 255.255.0.0 Branch_Site 255.255.255.0

access-list acl_outside permit icmp any any

icmp permit any outside
icmp permit any inside

mtu outside 1500
mtu inside 1500

ip address outside Pix_OUT 255.255.255.0
ip address inside Pix_IN 255.255.255.0

arp timeout 14400

global (outside) 10 interface

nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 10 Company_Network 255.255.0.0 0 0

access-group inside_access_in in interface inside

route outside 0.0.0.0 0.0.0.0 Gateway_Internet 1
route outside Branch_Site 255.255.255.0 Gateway_Internet 1
route inside HeadOffice 255.255.240.0 Gateway_HeadOffice 1

sysopt connection permit-ipsec

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set strong esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto map outside_map 70 ipsec-isakmp
crypto map outside_map 70 match address outside_cryptomap_70
crypto map outside_map 70 set peer Pix_Branch_Site
crypto map outside_map 70 set transform-set ESP-3DES-MD5

isakmp enable outside

isakmp key ******** address Pix_Branch_Site netmask 255.255.255.255 no-xauth no-config-mode
isakmp keepalive 15
isakmp nat-traversal 20

isakmp policy 30 authentication pre-share
isakmp policy 30 encryption 3des
isakmp policy 30 hash md5
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400

management-access inside


Pix Branch Site

PIX Version 6.3(5)

access-list acl_outside permit ip Branch_Site 255.255.255.0 Head_Office 255.255.240.0
access-list acl_outside permit ip Branch_Site 255.255.255.0 Company_Network 255.255.0.0
access-list acl_outside permit icmp any any

access-list acl_inside permit ip Branch_Site 255.255.255.0 Head_Office 255.255.240.0
access-list acl_inside permit icmp any any

access-list acl_VPN_Head_Office_70 permit ip Branch_Site 255.255.255.0 Head_Office 255.255.240.0
access-list acl_VPN_Head_Office_70 permit ip Branch_Site 255.255.255.0 Company_Network 255.255.0.0
access-list acl_VPN_Head_Office_70 permit icmp any any

access-list ping_access permit icmp any any unreachable
access-list ping_access permit icmp any any echo-reply
access-list ping_access permit icmp any any time-exceeded

icmp permit any outside
icmp permit any inside

mtu outside 1500
mtu inside 1500

ip address outside dhcp setroute
ip address inside PIX_Branch_Site_IN 255.255.255.0

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list acl_inside
nat (inside) 1 0.0.0.0 0.0.0.0 0 0

access-group ping_access in interface outside
access-group ping_access in interface inside

route outside Company_Network 255.255.0.0 Branch_Site-GW-Internet 1
route outside Head_Office 255.255.240.0 Branch_Site-GW-Internet 1

sysopt connection permit-ipsec

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto map VPN 70 ipsec-isakmp
crypto map VPN 70 match address acl_VPN_Head_Office_70
crypto map VPN 70 set peer PIX_Head_Office
crypto map VPN 70 set transform-set ESP-3DES-MD5
crypto map VPN interface outside

isakmp enable outside

isakmp key ******** address PIX_Head_Office netmask 255.255.255.255 no-xauth no-config-mode
isakmp keepalive 15
isakmp nat-traversal 20

isakmp policy 30 authentication pre-share
isakmp policy 30 encryption 3des
isakmp policy 30 hash md5
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400

management-access inside


I hope that you will can help me.



Start your free trial to view this solution
Question Stats
Zone: Networking
Question Asked By: Ficelkilla
Question Asked On: 05.07.2008
Participating Experts: 2
Points: 250
Views: 0
Translate:
Loading Advertisement...
05.07.2008 at 05:30AM PDT, ID: 21515642

Rank: Master

RPPreacher:

All comments and solutions are available to Premium Service Members only.

Start your 7 day free trial and see for yourself why Experts Exchange is the easiest and most proven technology resource in the world. Get Started

Already a member? Login to view this solution.

 
05.07.2008 at 05:53AM PDT, ID: 21515840
Ficelkilla:

All comments and solutions are available to Premium Service Members only.

Start your 7 day free trial and see for yourself why Experts Exchange is the easiest and most proven technology resource in the world. Get Started

Already a member? Login to view this solution.

 
05.07.2008 at 06:03AM PDT, ID: 21515915

Rank: Master

RPPreacher:

All comments and solutions are available to Premium Service Members only.

Start your 7 day free trial and see for yourself why Experts Exchange is the easiest and most proven technology resource in the world. Get Started

Already a member? Login to view this solution.

 
05.07.2008 at 06:47AM PDT, ID: 21516308
Ficelkilla:

All comments and solutions are available to Premium Service Members only.

Start your 7 day free trial and see for yourself why Experts Exchange is the easiest and most proven technology resource in the world. Get Started

Already a member? Login to view this solution.

 
05.07.2008 at 06:49AM PDT, ID: 21516326

Rank: Master

RPPreacher:

All comments and solutions are available to Premium Service Members only.

Start your 7 day free trial and see for yourself why Experts Exchange is the easiest and most proven technology resource in the world. Get Started

Already a member? Login to view this solution.

 
05.07.2008 at 07:02AM PDT, ID: 21516446
Ficelkilla:

All comments and solutions are available to Premium Service Members only.

Start your 7 day free trial and see for yourself why Experts Exchange is the easiest and most proven technology resource in the world. Get Started

Already a member? Login to view this solution.

 
05.07.2008 at 07:07AM PDT, ID: 21516496

Rank: Master

RPPreacher:

All comments and solutions are available to Premium Service Members only.

Start your 7 day free trial and see for yourself why Experts Exchange is the easiest and most proven technology resource in the world. Get Started

Already a member? Login to view this solution.

 
05.07.2008 at 07:38AM PDT, ID: 21516873
Ficelkilla:

All comments and solutions are available to Premium Service Members only.

Start your 7 day free trial and see for yourself why Experts Exchange is the easiest and most proven technology resource in the world. Get Started

Already a member? Login to view this solution.

 
05.08.2008 at 11:53AM PDT, ID: 21527424
TekServer:

All comments and solutions are available to Premium Service Members only.

Start your 7 day free trial and see for yourself why Experts Exchange is the easiest and most proven technology resource in the world. Get Started

Already a member? Login to view this solution.

 
 
Loading Advertisement...
Microsoft
  • Internet Protocols
  • Applications
  • Development
  • OS
  • Hardware
  • Windows Security
Apple
  • Operating Systems
  • Hardware
  • Programming
  • Networking
  • Software
Internet
  • Search Engines
  • File Sharing
  • WebTrends / Stats
  • Spy / Ad Blockers
  • Web Browsers
  • New Net Users
  • Web Development
  • Chat / IM
  • Anti Spam
  • Web Servers
  • Anti-Virus
  • Email Clients
Gamers
  • Tips
  • Online / MMORPG
  • Puzzle
  • Emulators
  • Action / Adventure
  • Role Playing
  • Consoles
  • Game Programming
  • Strategy
  • Sports
  • Misc
  • Computer Games
Digital Living
  • Hardware
  • New Net Users
  • New Users
  • Software
  • Digital Music
  • Gaming World
  • Home Security
  • Apple
  • Networking Hardware
Virus & Spyware
  • Vulnerabilities
  • IDS
  • Encryption
  • Anti-Virus
  • Operating Systems Security
  • Software Firewalls
  • WebApplications
  • Cell Phones
  • Operating Systems
  • Internet
  • Hardware Firewalls
Hardware
  • Handhelds / PDAs
  • Displays / Monitors
  • Components
  • Networking Hardware
  • Peripherals
  • Laptops/Notebooks
  • Storage
  • Servers
  • Desktops
  • New Users
  • Misc
  • Apple
Software
  • System Utilities
  • Industry Specific
  • Network Management
  • Photos / Graphics
  • Page Layout
  • VMWare
  • Misc
  • Web Development
  • OS
  • CYGWIN
  • Voice Recognition
  • Message Queue
  • Quality Assurance
  • Security
  • Firewalls
  • MultiMedia Applications
  • Development
  • Database
  • Office / Productivity
  • Business Management
  • OS/2 Apps
  • Server Software
  • Internet / Email
ITPro
  • OS
  • Storage
  • Encryption
  • Operating Systems Security
  • Apple Hardware
  • Laptops & Notebooks
  • Servers
  • Networking Hardware
  • Peripherals
  • Devices
  • Displays / Monitors
  • WebTrends / Stats
  • Search Engines
  • Firewalls
  • WebApplications
  • IDS
  • Vulnerabilities
  • Email Clients
  • File Sharing
  • Spy / Ad Blockers
  • Web Browsers
  • Web Servers
  • Networking
  • Anti-Virus
  • Chat / IM
  • Anti Spam
Developer
  • Web Servers
  • Web Browsers
  • Game Programming
  • Dev Tools
  • Industry Specific
  • Office / Productivity
  • Database
  • CYGWIN
  • Web Development
  • Search Engines
  • File Sharing
  • WebTrends / Stats
  • Programming
  • Content Management
  • Application Servers
  • Protocols
Storage
  • Removable Backup Media
  • Storage Technology
  • Servers
  • Grid
  • Remote Access
  • Backup / Restore
  • Misc
  • Hard Drives
OS
  • Miscellaneous
  • Security
  • Development
  • Linux
  • VMWare
  • MainFrame OS
  • Unix
  • Apple
  • OS / 2
  • AS / 400
  • BeOS
  • Microsoft
  • VMS / OpenVMS
Database
  • Oracle
  • Miscellaneous
  • MySQL
  • Software
  • Sybase
  • Contact Management
  • PostgreSQL
  • Data Manipulation
  • Clarion
  • InterSystems Cache
  • Siebel
  • MUMPS
  • OLAP
  • SQLBase
  • SAS
  • GIS & GPS
  • 4GL
  • Berkeley DB
  • DB2
  • Informix
  • Interbase / Firebird
  • FoxPro
  • Reporting
  • LDAP
  • Filemaker Pro
  • MS SQL Server
  • dBase
  • MS Access
Security
  • Misc
  • Web Browsers
  • Software Firewalls
  • Operating Systems Security
  • File Sharing
  • Spy / Ad Blockers
  • Vulnerabilities
  • WebApplications
  • IDS
  • Anti-Virus
  • Encryption
  • Anti Spam
  • Email Clients
  • VPN
  • Chat / IM
Programming
  • Editors IDEs
  • Installation
  • Handhelds / PDAs
  • Multimedia Programming
  • System / Kernel
  • Algorithms
  • Game
  • Signal Processing
  • Project Management
  • Open Source
  • Database
  • Misc
  • Languages
  • Processor Platforms
  • Theory
Web Development
  • Scripting
  • Blogs
  • Web Servers
  • Software
  • Search Engines
  • Web Graphics
  • Images
  • Internet Marketing
  • Images and Photos
  • Components
  • Document Imaging
  • Web Languages/Standards
  • Illustration
  • WebApplications
  • Fonts
  • WebTrends / Stats
  • Authoring
  • Digital Camera Software
  • Miscellaneous
Networking
  • Protocols
  • Apple Networking
  • Network Management
  • Message Queue
  • Application Servers
  • Content Management
  • File Servers
  • Email Servers
  • Misc
  • Java Editors & IDEs
  • Wireless
  • Networking Hardware
  • Backup / Restore
  • System Utilities
  • ISPs & Hosting
  • Web Servers
  • Storage Technology
  • Removable Backup Media
  • Servers
  • Broadband
  • Grid
  • OS / 2
  • Novell Netware
  • Unix Networking
  • Windows Networking
  • Security
  • Telecommunications
  • Operating Systems
  • Linux Networking
Other
  • Community Advisor
  • Lounge
  • Community Support
  • New Net Users
  • Philosophy / Religion
  • Math / Science
  • Miscellaneous
  • URLs
  • Expert Lounge
  • Politics
  • Puzzles / Riddles
Community Support
  • Suggestions
  • New to EE
  • New Topics
  • Community Advisor
  • CleanUp
  • Announcements
  • General
  • Feedback
  • Input
  • EE Bugs
 
05.07.2008 at 05:30AM PDT, ID: 21515642

Rank: Master

RPPreacher:
You do not permit echo_request in ping_access ACL.
 
05.07.2008 at 05:53AM PDT, ID: 21515840
Ficelkilla:
You don't have to do that.
 echo_request don't need to be configured (and can't be configured) on a cisco Pix 506e
 
05.07.2008 at 06:03AM PDT, ID: 21515915

Rank: Master

RPPreacher:
The ACLs applied on each interface permit specific ping traffic.  All PIX ACLs implicitly deny any traffic NOT explicitly permitted.

Therefore...

You do not permit echo_request in ping_access ACL.

Or, to clarify, by applying an ACL you are blocking any traffic that you don't explicitly permit.
 
05.07.2008 at 06:47AM PDT, ID: 21516308
Ficelkilla:
Ok I understand what you mean.

I deleted the acces-list ping_access and the access-group
but still can't ping my machines

Do you have an idea ?
 
05.07.2008 at 06:49AM PDT, ID: 21516326

Rank: Master

RPPreacher:
You can turn on ping trace on each pix.  Find out where it is dying.

debug icmp trace

You should see echo requests and echo replies.  Test that.  Let me know results.
 
05.07.2008 at 07:02AM PDT, ID: 21516446
Ficelkilla:
I tried to do so but when I tried to ping the inside interface from one side to the opposite one
I see the echo-request but nothing islogged on the other side
it is the same on the both side

to sum-up
   ping from A to B : echo-request on A but nothing on B
   ping from B to A : echo-request on B but nothing on A
 
05.07.2008 at 07:07AM PDT, ID: 21516496

Rank: Master

RPPreacher:
What happens if you ping something other than the inside interface of the pix?  Don't see the requests?
 
05.07.2008 at 07:38AM PDT, ID: 21516873
Ficelkilla:
Nothing happenned when I tried from the headoffice to branch site
but i saw on the log some ping between one machine of the branch site to a server of the head office


 
05.08.2008 at 11:53AM PDT, ID: 21527424
TekServer:
Try adding the following two lines to the configs:

icmp permit any echo-reply outside
icmp permit any echo-reply inside

:)
 
 
20080236-EE-VQP-29 / EE_QW_2_20070628