Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 524
  • Last Modified:

ping Problem

hello:
I logged into the router in the other site (VPN) PIX 501,
from there I try to ping my computer, but I get this
-----------------------
stsaus# ping 192.168.1.43
        192.168.1.43 NO response received -- 1010ms
        192.168.1.43 NO response received -- 1000ms
        192.168.1.43 NO response received -- 1000ms
----------------------------------
When I add inside before my IP, I get this
-------------------------------------------
stsaus# ping inside 192.168.1.43
        192.168.1.43 response received -- 340ms
        192.168.1.43 response received -- 330ms
        192.168.1.43 response received -- 330ms
-------------------------------------------------------------
why is that, and how can I get a direct ping, even though ICMP is allowed from the remote subnet to my subnet:
access-list inside_access_in permit icmp any any
?

My 2nd Question:
I would like to configure the CISCO PIX 501 to connect to my TFTP server on my machine, what is the list for that?

P.S: Configuration file attached, any more comments are welcome
Test.txt
0
khamees79
Asked:
khamees79
  • 4
  • 3
  • 3
2 Solutions
 
PugglewuggleCommented:
That is strange. You shouldn't have to specify the interface keyword to ping local hosts.
As far as accessing the remote subnet goes, make sure the PIX has a route for that subnet defined. If it doesn't it won't work.
Upgrade your software if you can. The latest PIX version is 8.0.4. The software you're using is like 5 years old. You might be stuck with it though if you don't have enough RAM/flash
To run a TFTP server on your machine, just install one and set the root to somewhere you can easilty get too. I usually set the root to C:\TFTP. But that's just me. Here's a good TFTP program. It's called Pumpkin.
http://kin.klever.net/pumpkin/
 
0
 
PugglewuggleCommented:
BTW the route statement is like this (and you will need one to get on the web).
route interface_name ip_address netmask gateway_ip [metric]
To get to the web it might look like this:
route outside 0.0.0.0 0.0.0.0 123.123.123.1 1
To get to a remote subnet 192.168.8.0 through router or other device 192.168.1.1 it will look like this:
route inside 192.168.8.0 255.255.255.0 192.168.1.1 1
BTW: interface should be the interface connected to the router going to the other subnet. If remote VPN subnet use outside
0
 
khamees79Author Commented:
Well, there is connection between the two sites, as the other site is using the mail server and databases in my branch, so the VPN is set and running if u check the config file attched.
The problem I could not get the router to contact my TFTP server, beside the ping issue.

About upgrading, it's th hardware problem again, and as it is a very small office in the remote site, I'm not considering getting a new one.
0
Identify and Prevent Potential Cyber-threats

Become the white hat who helps safeguard our interconnected world. Transform your career future by earning your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

 
PugglewuggleCommented:
The TFTP server and router have to be on the same network (broadcast domain) If there are seperated by a router or firewall or by VPN it won't work.
When I said upgrade I just meant the software version - it's free if you have a Cisco CCO and SmartNET contract on the devices.
0
 
lrmooreCommented:
ping inside <destination> creates a ping that has a source IP of the inside interface. Useful in testing VPN connectivity.
Try adding :
 management-access inside

The management-access mgmt_if command enables you to define an internal management interface using the IP address of the firewall interface specified in mgmt_if. (The firewall interface names are defined by the nameif command and displayed in quotes, " ", in the show interface output.)

In PIX Firewall software Version 6.3, this command is supported for the following through an IPSec VPN tunnel only, and only one management interface can be defined globally:

"SNMP polls to the mgmt_if
"HTTPS requests to the mgmt_if
"PDM access to the mgmt_if
"Telnet access to the mgmt_if
"SSH access to the mgmt_if
"Ping to the mgmt_if

Alas, it does not provide for TFTP access to the inside interface.
To be quite honest, the easiest way to manage a remote PIX is through the PDM, through the public IP address, or with SSH through the public IP address.

The only real reason to enable TFTP accross the VPN is to upgrade the OS or the PDM versions. If they are already running 6.3(5) and pdm 3.04, these are probably the very last versions ever to be published for the 501, so it becomes a moot point. If you do need to update them, just run a tftp server on a local (to the pix) machine. You can remotely control the PIX to tftp to/from the local machine.


0
 
PugglewuggleCommented:
Once correction lrmoore - TFTP doesn't work over IPsec VPN. It is a broadcast protocol and broadcast traffic cannot traverse an IPsec VPN tunnel. A few other examples are DHCP and WOL.
As I stated you do need to place the TFTP server (aka computer running TFTP software) in a network directly connected to the device if you have a firewall or router in place.
One other option is the ip directed-broadcast command in Cisco routers... although this would probably be more of a pain than it's worth. It does let broadcast packets (such as TFTP ones) traverse Cisco routers.
http://www.cisco.com/en/US/docs/ios/12_3/ipaddr/command/reference/ip1_i1g.html#wp1081245 
 
0
 
khamees79Author Commented:
Thanks for the answers.

1: I was updating the PDM, this why i needed tftp, so I solved that by setting an TFTP on the local network of the PIX

2: The ping is still not running from the remote networks router to my machine, even though I'm accessing and setting the same router from my machine, It's not a big deal, but curious to know why?
I will settle the question tonight.
Best Regards
0
 
lrmooreCommented:
>Once correction lrmoore - TFTP doesn't work over IPsec VPN
Why, sure it does, Pug. It is not a broadcast protocol. You just can't use it over the vpn to the vpn terminal device as I stated above, but end device to end device through the VPN works just fine.
Yes, some devices will broadcast for a tftp server - like the autoinstall on routers. That broadcast certainly won't go over the VPN tunnel, but you can always specify the ip address of the tftp server and it will work.

>The ping is still not running from the remote networks router to my machine, even though I'm accessing and setting the same router from my machine,
Not quite sure I follow the issue on this. Can you provide more details?
0
 
khamees79Author Commented:
well, do not have more details lrmoore.
From my site, I can ping everything in the remote site. This satisfy my network analysis application.
But when I log into the router (SSH ), I can not ping my own machine, which I'm using to SSH the router.
I.E. there is connectivity. The only way to ping from the CLI of the router to my machine, is to use the INSIDE key before my IP.
0
 
lrmooreCommented:
>ping from the CLI of the router
So, by "router" you mean the PIX? This is by design and working exactly as expected.
Let us know if there is anything else we can do for you..
Thanks!
0

Featured Post

Big Data Means Big Business

In data-dependent industries like IT, finance, and healthcare, there’s a growing demand for qualified analysts to fill leadership roles. WGU’s MS in Data Analytics has IT certifications from Oracle and SAS built into its curriculum at a flat fee that could save you money.

  • 4
  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now