Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


ping Problem

Posted on 2008-10-01
Medium Priority
Last Modified: 2013-11-29
I logged into the router in the other site (VPN) PIX 501,
from there I try to ping my computer, but I get this
stsaus# ping NO response received -- 1010ms NO response received -- 1000ms NO response received -- 1000ms
When I add inside before my IP, I get this
stsaus# ping inside response received -- 340ms response received -- 330ms response received -- 330ms
why is that, and how can I get a direct ping, even though ICMP is allowed from the remote subnet to my subnet:
access-list inside_access_in permit icmp any any

My 2nd Question:
I would like to configure the CISCO PIX 501 to connect to my TFTP server on my machine, what is the list for that?

P.S: Configuration file attached, any more comments are welcome
Question by:khamees79
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 3
LVL 12

Assisted Solution

Pugglewuggle earned 450 total points
ID: 22616817
That is strange. You shouldn't have to specify the interface keyword to ping local hosts.
As far as accessing the remote subnet goes, make sure the PIX has a route for that subnet defined. If it doesn't it won't work.
Upgrade your software if you can. The latest PIX version is 8.0.4. The software you're using is like 5 years old. You might be stuck with it though if you don't have enough RAM/flash
To run a TFTP server on your machine, just install one and set the root to somewhere you can easilty get too. I usually set the root to C:\TFTP. But that's just me. Here's a good TFTP program. It's called Pumpkin.
LVL 12

Expert Comment

ID: 22616888
BTW the route statement is like this (and you will need one to get on the web).
route interface_name ip_address netmask gateway_ip [metric]
To get to the web it might look like this:
route outside 1
To get to a remote subnet through router or other device it will look like this:
route inside 1
BTW: interface should be the interface connected to the router going to the other subnet. If remote VPN subnet use outside

Author Comment

ID: 22617464
Well, there is connection between the two sites, as the other site is using the mail server and databases in my branch, so the VPN is set and running if u check the config file attched.
The problem I could not get the router to contact my TFTP server, beside the ping issue.

About upgrading, it's th hardware problem again, and as it is a very small office in the remote site, I'm not considering getting a new one.
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

LVL 12

Expert Comment

ID: 22617558
The TFTP server and router have to be on the same network (broadcast domain) If there are seperated by a router or firewall or by VPN it won't work.
When I said upgrade I just meant the software version - it's free if you have a Cisco CCO and SmartNET contract on the devices.
LVL 79

Accepted Solution

lrmoore earned 1050 total points
ID: 22617829
ping inside <destination> creates a ping that has a source IP of the inside interface. Useful in testing VPN connectivity.
Try adding :
 management-access inside

The management-access mgmt_if command enables you to define an internal management interface using the IP address of the firewall interface specified in mgmt_if. (The firewall interface names are defined by the nameif command and displayed in quotes, " ", in the show interface output.)

In PIX Firewall software Version 6.3, this command is supported for the following through an IPSec VPN tunnel only, and only one management interface can be defined globally:

"SNMP polls to the mgmt_if
"HTTPS requests to the mgmt_if
"PDM access to the mgmt_if
"Telnet access to the mgmt_if
"SSH access to the mgmt_if
"Ping to the mgmt_if

Alas, it does not provide for TFTP access to the inside interface.
To be quite honest, the easiest way to manage a remote PIX is through the PDM, through the public IP address, or with SSH through the public IP address.

The only real reason to enable TFTP accross the VPN is to upgrade the OS or the PDM versions. If they are already running 6.3(5) and pdm 3.04, these are probably the very last versions ever to be published for the 501, so it becomes a moot point. If you do need to update them, just run a tftp server on a local (to the pix) machine. You can remotely control the PIX to tftp to/from the local machine.

LVL 12

Expert Comment

ID: 22618045
Once correction lrmoore - TFTP doesn't work over IPsec VPN. It is a broadcast protocol and broadcast traffic cannot traverse an IPsec VPN tunnel. A few other examples are DHCP and WOL.
As I stated you do need to place the TFTP server (aka computer running TFTP software) in a network directly connected to the device if you have a firewall or router in place.
One other option is the ip directed-broadcast command in Cisco routers... although this would probably be more of a pain than it's worth. It does let broadcast packets (such as TFTP ones) traverse Cisco routers.

Author Comment

ID: 22624734
Thanks for the answers.

1: I was updating the PDM, this why i needed tftp, so I solved that by setting an TFTP on the local network of the PIX

2: The ping is still not running from the remote networks router to my machine, even though I'm accessing and setting the same router from my machine, It's not a big deal, but curious to know why?
I will settle the question tonight.
Best Regards
LVL 79

Expert Comment

ID: 22624818
>Once correction lrmoore - TFTP doesn't work over IPsec VPN
Why, sure it does, Pug. It is not a broadcast protocol. You just can't use it over the vpn to the vpn terminal device as I stated above, but end device to end device through the VPN works just fine.
Yes, some devices will broadcast for a tftp server - like the autoinstall on routers. That broadcast certainly won't go over the VPN tunnel, but you can always specify the ip address of the tftp server and it will work.

>The ping is still not running from the remote networks router to my machine, even though I'm accessing and setting the same router from my machine,
Not quite sure I follow the issue on this. Can you provide more details?

Author Comment

ID: 22625125
well, do not have more details lrmoore.
From my site, I can ping everything in the remote site. This satisfy my network analysis application.
But when I log into the router (SSH ), I can not ping my own machine, which I'm using to SSH the router.
I.E. there is connectivity. The only way to ping from the CLI of the router to my machine, is to use the INSIDE key before my IP.
LVL 79

Expert Comment

ID: 22625418
>ping from the CLI of the router
So, by "router" you mean the PIX? This is by design and working exactly as expected.
Let us know if there is anything else we can do for you..

Featured Post

Enroll in October's Free Course of the Month

Do you work with and analyze data? Enroll in October's Course of the Month for 7+ hours of SQL training, allowing you to quickly and efficiently store or retrieve data. It's free for Premium Members, Team Accounts, and Qualified Experts!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There’s a movement in Information Technology (IT), and while it’s hard to define, it is gaining momentum. Some call it “stream-lined IT;” others call it “thin-model IT.”
This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …

604 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question