VPN working, but they can't ping our internal network

We have the following VPN path setup with an outside vendor:

[them]----[internet]----[our firewall]----[switch]----[domain controller, internal network, etc]

The VPN (ipsec) tunnel has been established and they can ping our firewall box, and we can ping them, but they can't ping anything past the firewall.  They're trying to ping an internal networked printer but get timed out.  I can ping to theirs just fine.

Since they can ping the firewall itself, I'm assuming something is holding it up at the domain controller level.  What do I need to check to allow them to ping internal machines?

Kevin
Kevin SmithAsked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
RPPreacherConnect With a Mentor Commented:
You need an access list permitting traffic from the firewall to the internal network
0
 
wingspinConnect With a Mentor Commented:
It could be several things.  
I'd check the default gateway setting of the remote VPN client.  The external IP address of the firewall won't do it.  It depends your setup as to what the gateway IP address should be.  You can try making their own IP address if you're stumped.

Is the VPN port NAT-ed to your domain controller?  

Are you running the Win-logon script after the VPN connects?  



0
 
just-one-itConnect With a Mentor Commented:
What type of vpn are you using?  Is the IP assigned to the vpn client in the same subnet as the printer they are trying to ping?
0
The new generation of project management tools

With monday.com’s project management tool, you can see what everyone on your team is working in a single glance. Its intuitive dashboards are customizable, so you can create systems that work for you.

 
Rick HobbsConnect With a Mentor RETIREDCommented:
What type of firewall?  What is you VPN client?
0
 
just-one-itCommented:
Is there an echo in here? ;)
0
 
NYtechGuyConnect With a Mentor Commented:

It may also be routing:

- Is your network only one subnet, or are there other subnets/routers involved behind your firewall?  They may not have the necessary routes.
0
 
Ron MalmsteadConnect With a Mentor Information Services ManagerCommented:
Check my previously answered question on expertsexchange.

http://www.experts-exchange.com/Networking/Q_21774941.html

It may apply to you also.

Good luck.
0
 
Rob WilliamsConnect With a Mentor Commented:
Is the "firewall box" the default gateway for the devices you are trying to ping.
i.e. is the firewall box's LAN IP the added to the printer's configuration as it's gateway?
Also, the local and remote LAN subnets need to be different for the VPN.
0
 
Kevin SmithAuthor Commented:
Yes, the box is the the default gateway, but he can't ping any machine even if it is configured with the default gateway.
0
 
Rob WilliamsCommented:
-Are the subnets different ? The 2 LAN's should be.
-Are "they" pinging the LAN or the WAN IP of the firewall ?
-perhaps as asked earlier if you could provide more information as to the VPN configuration such as hardware make and model, and the client you are using, we could better assist.
0
 
nttranbaoConnect With a Mentor Commented:
from "them", open command promt and use tracert or pathping to trace the route. See whiere it stops responding.

I guess this is because of the firewall NOT allow ICMP from outside into the internal network. There would be nothing to do with routing since your internal network can ping "them" successfully.

If possible , tell us what kind of your Firewall? a computer or a cisco?
0
 
RPPreacherCommented:
Did you ever add an access-list?  It was the first suggestion and a very common issue with VPN connectivity issues.
0
 
Kevin SmithAuthor Commented:
The problem "fixed itself", althought I didn't do anything (guessing it might have been something on their end after all).  I didn't use any of the answers above, but did learn some things so I'm gonna split up the points to everybody if that's cool.
0
 
RPPreacherCommented:
Thanks.  Glad it resolved.
0
 
Rick HobbsRETIREDCommented:
Glad I could be of assistance. Thanks!
0
 
Rob WilliamsCommented:
Thanks ksmithscs,
--Rob
0
All Courses

From novice to tech pro — start learning today.