ping Problem

I logged into the router in the other site (VPN) PIX 501,
from there I try to ping my computer, but I get this
stsaus# ping NO response received -- 1010ms NO response received -- 1000ms NO response received -- 1000ms
When I add inside before my IP, I get this
stsaus# ping inside response received -- 340ms response received -- 330ms response received -- 330ms
why is that, and how can I get a direct ping, even though ICMP is allowed from the remote subnet to my subnet:
access-list inside_access_in permit icmp any any

My 2nd Question:
I would like to configure the CISCO PIX 501 to connect to my TFTP server on my machine, what is the list for that?

P.S: Configuration file attached, any more comments are welcome
Who is Participating?
ping inside <destination> creates a ping that has a source IP of the inside interface. Useful in testing VPN connectivity.
Try adding :
 management-access inside

The management-access mgmt_if command enables you to define an internal management interface using the IP address of the firewall interface specified in mgmt_if. (The firewall interface names are defined by the nameif command and displayed in quotes, " ", in the show interface output.)

In PIX Firewall software Version 6.3, this command is supported for the following through an IPSec VPN tunnel only, and only one management interface can be defined globally:

"SNMP polls to the mgmt_if
"HTTPS requests to the mgmt_if
"PDM access to the mgmt_if
"Telnet access to the mgmt_if
"SSH access to the mgmt_if
"Ping to the mgmt_if

Alas, it does not provide for TFTP access to the inside interface.
To be quite honest, the easiest way to manage a remote PIX is through the PDM, through the public IP address, or with SSH through the public IP address.

The only real reason to enable TFTP accross the VPN is to upgrade the OS or the PDM versions. If they are already running 6.3(5) and pdm 3.04, these are probably the very last versions ever to be published for the 501, so it becomes a moot point. If you do need to update them, just run a tftp server on a local (to the pix) machine. You can remotely control the PIX to tftp to/from the local machine.

That is strange. You shouldn't have to specify the interface keyword to ping local hosts.
As far as accessing the remote subnet goes, make sure the PIX has a route for that subnet defined. If it doesn't it won't work.
Upgrade your software if you can. The latest PIX version is 8.0.4. The software you're using is like 5 years old. You might be stuck with it though if you don't have enough RAM/flash
To run a TFTP server on your machine, just install one and set the root to somewhere you can easilty get too. I usually set the root to C:\TFTP. But that's just me. Here's a good TFTP program. It's called Pumpkin.
BTW the route statement is like this (and you will need one to get on the web).
route interface_name ip_address netmask gateway_ip [metric]
To get to the web it might look like this:
route outside 1
To get to a remote subnet through router or other device it will look like this:
route inside 1
BTW: interface should be the interface connected to the router going to the other subnet. If remote VPN subnet use outside
Choose an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

khamees79Author Commented:
Well, there is connection between the two sites, as the other site is using the mail server and databases in my branch, so the VPN is set and running if u check the config file attched.
The problem I could not get the router to contact my TFTP server, beside the ping issue.

About upgrading, it's th hardware problem again, and as it is a very small office in the remote site, I'm not considering getting a new one.
The TFTP server and router have to be on the same network (broadcast domain) If there are seperated by a router or firewall or by VPN it won't work.
When I said upgrade I just meant the software version - it's free if you have a Cisco CCO and SmartNET contract on the devices.
Once correction lrmoore - TFTP doesn't work over IPsec VPN. It is a broadcast protocol and broadcast traffic cannot traverse an IPsec VPN tunnel. A few other examples are DHCP and WOL.
As I stated you do need to place the TFTP server (aka computer running TFTP software) in a network directly connected to the device if you have a firewall or router in place.
One other option is the ip directed-broadcast command in Cisco routers... although this would probably be more of a pain than it's worth. It does let broadcast packets (such as TFTP ones) traverse Cisco routers. 
khamees79Author Commented:
Thanks for the answers.

1: I was updating the PDM, this why i needed tftp, so I solved that by setting an TFTP on the local network of the PIX

2: The ping is still not running from the remote networks router to my machine, even though I'm accessing and setting the same router from my machine, It's not a big deal, but curious to know why?
I will settle the question tonight.
Best Regards
>Once correction lrmoore - TFTP doesn't work over IPsec VPN
Why, sure it does, Pug. It is not a broadcast protocol. You just can't use it over the vpn to the vpn terminal device as I stated above, but end device to end device through the VPN works just fine.
Yes, some devices will broadcast for a tftp server - like the autoinstall on routers. That broadcast certainly won't go over the VPN tunnel, but you can always specify the ip address of the tftp server and it will work.

>The ping is still not running from the remote networks router to my machine, even though I'm accessing and setting the same router from my machine,
Not quite sure I follow the issue on this. Can you provide more details?
khamees79Author Commented:
well, do not have more details lrmoore.
From my site, I can ping everything in the remote site. This satisfy my network analysis application.
But when I log into the router (SSH ), I can not ping my own machine, which I'm using to SSH the router.
I.E. there is connectivity. The only way to ping from the CLI of the router to my machine, is to use the INSIDE key before my IP.
>ping from the CLI of the router
So, by "router" you mean the PIX? This is by design and working exactly as expected.
Let us know if there is anything else we can do for you..
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.