Solved

ping Problem

Posted on 2008-10-01
10
510 Views
Last Modified: 2013-11-29
hello:
I logged into the router in the other site (VPN) PIX 501,
from there I try to ping my computer, but I get this
-----------------------
stsaus# ping 192.168.1.43
        192.168.1.43 NO response received -- 1010ms
        192.168.1.43 NO response received -- 1000ms
        192.168.1.43 NO response received -- 1000ms
----------------------------------
When I add inside before my IP, I get this
-------------------------------------------
stsaus# ping inside 192.168.1.43
        192.168.1.43 response received -- 340ms
        192.168.1.43 response received -- 330ms
        192.168.1.43 response received -- 330ms
-------------------------------------------------------------
why is that, and how can I get a direct ping, even though ICMP is allowed from the remote subnet to my subnet:
access-list inside_access_in permit icmp any any
?

My 2nd Question:
I would like to configure the CISCO PIX 501 to connect to my TFTP server on my machine, what is the list for that?

P.S: Configuration file attached, any more comments are welcome
Test.txt
0
Comment
Question by:khamees79
  • 4
  • 3
  • 3
10 Comments
 
LVL 12

Assisted Solution

by:Pugglewuggle
Pugglewuggle earned 150 total points
ID: 22616817
That is strange. You shouldn't have to specify the interface keyword to ping local hosts.
As far as accessing the remote subnet goes, make sure the PIX has a route for that subnet defined. If it doesn't it won't work.
Upgrade your software if you can. The latest PIX version is 8.0.4. The software you're using is like 5 years old. You might be stuck with it though if you don't have enough RAM/flash
To run a TFTP server on your machine, just install one and set the root to somewhere you can easilty get too. I usually set the root to C:\TFTP. But that's just me. Here's a good TFTP program. It's called Pumpkin.
http://kin.klever.net/pumpkin/
 
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22616888
BTW the route statement is like this (and you will need one to get on the web).
route interface_name ip_address netmask gateway_ip [metric]
To get to the web it might look like this:
route outside 0.0.0.0 0.0.0.0 123.123.123.1 1
To get to a remote subnet 192.168.8.0 through router or other device 192.168.1.1 it will look like this:
route inside 192.168.8.0 255.255.255.0 192.168.1.1 1
BTW: interface should be the interface connected to the router going to the other subnet. If remote VPN subnet use outside
0
 
LVL 1

Author Comment

by:khamees79
ID: 22617464
Well, there is connection between the two sites, as the other site is using the mail server and databases in my branch, so the VPN is set and running if u check the config file attched.
The problem I could not get the router to contact my TFTP server, beside the ping issue.

About upgrading, it's th hardware problem again, and as it is a very small office in the remote site, I'm not considering getting a new one.
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22617558
The TFTP server and router have to be on the same network (broadcast domain) If there are seperated by a router or firewall or by VPN it won't work.
When I said upgrade I just meant the software version - it's free if you have a Cisco CCO and SmartNET contract on the devices.
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 350 total points
ID: 22617829
ping inside <destination> creates a ping that has a source IP of the inside interface. Useful in testing VPN connectivity.
Try adding :
 management-access inside

The management-access mgmt_if command enables you to define an internal management interface using the IP address of the firewall interface specified in mgmt_if. (The firewall interface names are defined by the nameif command and displayed in quotes, " ", in the show interface output.)

In PIX Firewall software Version 6.3, this command is supported for the following through an IPSec VPN tunnel only, and only one management interface can be defined globally:

"SNMP polls to the mgmt_if
"HTTPS requests to the mgmt_if
"PDM access to the mgmt_if
"Telnet access to the mgmt_if
"SSH access to the mgmt_if
"Ping to the mgmt_if

Alas, it does not provide for TFTP access to the inside interface.
To be quite honest, the easiest way to manage a remote PIX is through the PDM, through the public IP address, or with SSH through the public IP address.

The only real reason to enable TFTP accross the VPN is to upgrade the OS or the PDM versions. If they are already running 6.3(5) and pdm 3.04, these are probably the very last versions ever to be published for the 501, so it becomes a moot point. If you do need to update them, just run a tftp server on a local (to the pix) machine. You can remotely control the PIX to tftp to/from the local machine.


0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22618045
Once correction lrmoore - TFTP doesn't work over IPsec VPN. It is a broadcast protocol and broadcast traffic cannot traverse an IPsec VPN tunnel. A few other examples are DHCP and WOL.
As I stated you do need to place the TFTP server (aka computer running TFTP software) in a network directly connected to the device if you have a firewall or router in place.
One other option is the ip directed-broadcast command in Cisco routers... although this would probably be more of a pain than it's worth. It does let broadcast packets (such as TFTP ones) traverse Cisco routers.
http://www.cisco.com/en/US/docs/ios/12_3/ipaddr/command/reference/ip1_i1g.html#wp1081245
 
0
 
LVL 1

Author Comment

by:khamees79
ID: 22624734
Thanks for the answers.

1: I was updating the PDM, this why i needed tftp, so I solved that by setting an TFTP on the local network of the PIX

2: The ping is still not running from the remote networks router to my machine, even though I'm accessing and setting the same router from my machine, It's not a big deal, but curious to know why?
I will settle the question tonight.
Best Regards
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 22624818
>Once correction lrmoore - TFTP doesn't work over IPsec VPN
Why, sure it does, Pug. It is not a broadcast protocol. You just can't use it over the vpn to the vpn terminal device as I stated above, but end device to end device through the VPN works just fine.
Yes, some devices will broadcast for a tftp server - like the autoinstall on routers. That broadcast certainly won't go over the VPN tunnel, but you can always specify the ip address of the tftp server and it will work.

>The ping is still not running from the remote networks router to my machine, even though I'm accessing and setting the same router from my machine,
Not quite sure I follow the issue on this. Can you provide more details?
0
 
LVL 1

Author Comment

by:khamees79
ID: 22625125
well, do not have more details lrmoore.
From my site, I can ping everything in the remote site. This satisfy my network analysis application.
But when I log into the router (SSH ), I can not ping my own machine, which I'm using to SSH the router.
I.E. there is connectivity. The only way to ping from the CLI of the router to my machine, is to use the INSIDE key before my IP.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 22625418
>ping from the CLI of the router
So, by "router" you mean the PIX? This is by design and working exactly as expected.
Let us know if there is anything else we can do for you..
Thanks!
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

Please see preceding article here: http://www.experts-exchange.com/Networking/Operating_Systems/A_11209-Root-Bridge-Election.html Figure 1 After Root Bridge has been elected, then what?..... Let's start by defining a Root Port in la…
Configuring network clients can be a chore, especially if there are a large number of them or a lot of itinerant users.  DHCP dynamically manages this process, much to the relief of users and administrators alike!
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now