Solved

VPN working, but they can't ping our internal network

Posted on 2006-07-14
16
842 Views
Last Modified: 2013-11-16
We have the following VPN path setup with an outside vendor:

[them]----[internet]----[our firewall]----[switch]----[domain controller, internal network, etc]

The VPN (ipsec) tunnel has been established and they can ping our firewall box, and we can ping them, but they can't ping anything past the firewall.  They're trying to ping an internal networked printer but get timed out.  I can ping to theirs just fine.

Since they can ping the firewall itself, I'm assuming something is holding it up at the domain controller level.  What do I need to check to allow them to ping internal machines?

Kevin
0
Comment
Question by:Kevin Smith
  • 3
  • 3
  • 2
  • +6
16 Comments
 
LVL 20

Accepted Solution

by:
RPPreacher earned 66 total points
ID: 17110598
You need an access list permitting traffic from the firewall to the internal network
0
 
LVL 3

Assisted Solution

by:wingspin
wingspin earned 62 total points
ID: 17110609
It could be several things.  
I'd check the default gateway setting of the remote VPN client.  The external IP address of the firewall won't do it.  It depends your setup as to what the gateway IP address should be.  You can try making their own IP address if you're stumped.

Is the VPN port NAT-ed to your domain controller?  

Are you running the Win-logon script after the VPN connects?  



0
 
LVL 2

Assisted Solution

by:just-one-it
just-one-it earned 62 total points
ID: 17110819
What type of vpn are you using?  Is the IP assigned to the vpn client in the same subnet as the printer they are trying to ping?
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 22

Assisted Solution

by:Rick Hobbs
Rick Hobbs earned 62 total points
ID: 17110863
What type of firewall?  What is you VPN client?
0
 
LVL 2

Expert Comment

by:just-one-it
ID: 17110887
Is there an echo in here? ;)
0
 
LVL 9

Assisted Solution

by:NYtechGuy
NYtechGuy earned 62 total points
ID: 17110921

It may also be routing:

- Is your network only one subnet, or are there other subnets/routers involved behind your firewall?  They may not have the necessary routes.
0
 
LVL 25

Assisted Solution

by:Ron Malmstead
Ron Malmstead earned 62 total points
ID: 17111507
Check my previously answered question on expertsexchange.

http://www.experts-exchange.com/Networking/Q_21774941.html

It may apply to you also.

Good luck.
0
 
LVL 77

Assisted Solution

by:Rob Williams
Rob Williams earned 62 total points
ID: 17111593
Is the "firewall box" the default gateway for the devices you are trying to ping.
i.e. is the firewall box's LAN IP the added to the printer's configuration as it's gateway?
Also, the local and remote LAN subnets need to be different for the VPN.
0
 

Author Comment

by:Kevin Smith
ID: 17111605
Yes, the box is the the default gateway, but he can't ping any machine even if it is configured with the default gateway.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 17111647
-Are the subnets different ? The 2 LAN's should be.
-Are "they" pinging the LAN or the WAN IP of the firewall ?
-perhaps as asked earlier if you could provide more information as to the VPN configuration such as hardware make and model, and the client you are using, we could better assist.
0
 
LVL 7

Assisted Solution

by:nttranbao
nttranbao earned 62 total points
ID: 17120155
from "them", open command promt and use tracert or pathping to trace the route. See whiere it stops responding.

I guess this is because of the firewall NOT allow ICMP from outside into the internal network. There would be nothing to do with routing since your internal network can ping "them" successfully.

If possible , tell us what kind of your Firewall? a computer or a cisco?
0
 
LVL 20

Expert Comment

by:RPPreacher
ID: 17120732
Did you ever add an access-list?  It was the first suggestion and a very common issue with VPN connectivity issues.
0
 

Author Comment

by:Kevin Smith
ID: 17140637
The problem "fixed itself", althought I didn't do anything (guessing it might have been something on their end after all).  I didn't use any of the answers above, but did learn some things so I'm gonna split up the points to everybody if that's cool.
0
 
LVL 20

Expert Comment

by:RPPreacher
ID: 17140643
Thanks.  Glad it resolved.
0
 
LVL 22

Expert Comment

by:Rick Hobbs
ID: 17141608
Glad I could be of assistance. Thanks!
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 17142005
Thanks ksmithscs,
--Rob
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Macbook Sierra OS OpenVPN issue 13 83
How to get maximum transfer speed over LAN 4 83
Palo Alto Networks: Packet Trace Simulator? 2 48
Internet Service Provider 3 51
Even if you have implemented a Mobile Device Management solution company wide, it is a good idea to make sure you are taking into account all of the major risks to your electronic protected health information (ePHI).
Most of the applications these days are on Cloud. Cloud is ubiquitous with many service providers in the market. Since it has many benefits such as cost reduction, software updates, remote access, disaster recovery and much more.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question