ping Problem

Posted on 2008-10-01
Last Modified: 2013-11-29
I logged into the router in the other site (VPN) PIX 501,
from there I try to ping my computer, but I get this
stsaus# ping NO response received -- 1010ms NO response received -- 1000ms NO response received -- 1000ms
When I add inside before my IP, I get this
stsaus# ping inside response received -- 340ms response received -- 330ms response received -- 330ms
why is that, and how can I get a direct ping, even though ICMP is allowed from the remote subnet to my subnet:
access-list inside_access_in permit icmp any any

My 2nd Question:
I would like to configure the CISCO PIX 501 to connect to my TFTP server on my machine, what is the list for that?

P.S: Configuration file attached, any more comments are welcome
Question by:khamees79
  • 4
  • 3
  • 3
LVL 12

Assisted Solution

Pugglewuggle earned 150 total points
ID: 22616817
That is strange. You shouldn't have to specify the interface keyword to ping local hosts.
As far as accessing the remote subnet goes, make sure the PIX has a route for that subnet defined. If it doesn't it won't work.
Upgrade your software if you can. The latest PIX version is 8.0.4. The software you're using is like 5 years old. You might be stuck with it though if you don't have enough RAM/flash
To run a TFTP server on your machine, just install one and set the root to somewhere you can easilty get too. I usually set the root to C:\TFTP. But that's just me. Here's a good TFTP program. It's called Pumpkin.
LVL 12

Expert Comment

ID: 22616888
BTW the route statement is like this (and you will need one to get on the web).
route interface_name ip_address netmask gateway_ip [metric]
To get to the web it might look like this:
route outside 1
To get to a remote subnet through router or other device it will look like this:
route inside 1
BTW: interface should be the interface connected to the router going to the other subnet. If remote VPN subnet use outside

Author Comment

ID: 22617464
Well, there is connection between the two sites, as the other site is using the mail server and databases in my branch, so the VPN is set and running if u check the config file attched.
The problem I could not get the router to contact my TFTP server, beside the ping issue.

About upgrading, it's th hardware problem again, and as it is a very small office in the remote site, I'm not considering getting a new one.
VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

LVL 12

Expert Comment

ID: 22617558
The TFTP server and router have to be on the same network (broadcast domain) If there are seperated by a router or firewall or by VPN it won't work.
When I said upgrade I just meant the software version - it's free if you have a Cisco CCO and SmartNET contract on the devices.
LVL 79

Accepted Solution

lrmoore earned 350 total points
ID: 22617829
ping inside <destination> creates a ping that has a source IP of the inside interface. Useful in testing VPN connectivity.
Try adding :
 management-access inside

The management-access mgmt_if command enables you to define an internal management interface using the IP address of the firewall interface specified in mgmt_if. (The firewall interface names are defined by the nameif command and displayed in quotes, " ", in the show interface output.)

In PIX Firewall software Version 6.3, this command is supported for the following through an IPSec VPN tunnel only, and only one management interface can be defined globally:

"SNMP polls to the mgmt_if
"HTTPS requests to the mgmt_if
"PDM access to the mgmt_if
"Telnet access to the mgmt_if
"SSH access to the mgmt_if
"Ping to the mgmt_if

Alas, it does not provide for TFTP access to the inside interface.
To be quite honest, the easiest way to manage a remote PIX is through the PDM, through the public IP address, or with SSH through the public IP address.

The only real reason to enable TFTP accross the VPN is to upgrade the OS or the PDM versions. If they are already running 6.3(5) and pdm 3.04, these are probably the very last versions ever to be published for the 501, so it becomes a moot point. If you do need to update them, just run a tftp server on a local (to the pix) machine. You can remotely control the PIX to tftp to/from the local machine.

LVL 12

Expert Comment

ID: 22618045
Once correction lrmoore - TFTP doesn't work over IPsec VPN. It is a broadcast protocol and broadcast traffic cannot traverse an IPsec VPN tunnel. A few other examples are DHCP and WOL.
As I stated you do need to place the TFTP server (aka computer running TFTP software) in a network directly connected to the device if you have a firewall or router in place.
One other option is the ip directed-broadcast command in Cisco routers... although this would probably be more of a pain than it's worth. It does let broadcast packets (such as TFTP ones) traverse Cisco routers. 

Author Comment

ID: 22624734
Thanks for the answers.

1: I was updating the PDM, this why i needed tftp, so I solved that by setting an TFTP on the local network of the PIX

2: The ping is still not running from the remote networks router to my machine, even though I'm accessing and setting the same router from my machine, It's not a big deal, but curious to know why?
I will settle the question tonight.
Best Regards
LVL 79

Expert Comment

ID: 22624818
>Once correction lrmoore - TFTP doesn't work over IPsec VPN
Why, sure it does, Pug. It is not a broadcast protocol. You just can't use it over the vpn to the vpn terminal device as I stated above, but end device to end device through the VPN works just fine.
Yes, some devices will broadcast for a tftp server - like the autoinstall on routers. That broadcast certainly won't go over the VPN tunnel, but you can always specify the ip address of the tftp server and it will work.

>The ping is still not running from the remote networks router to my machine, even though I'm accessing and setting the same router from my machine,
Not quite sure I follow the issue on this. Can you provide more details?

Author Comment

ID: 22625125
well, do not have more details lrmoore.
From my site, I can ping everything in the remote site. This satisfy my network analysis application.
But when I log into the router (SSH ), I can not ping my own machine, which I'm using to SSH the router.
I.E. there is connectivity. The only way to ping from the CLI of the router to my machine, is to use the INSIDE key before my IP.
LVL 79

Expert Comment

ID: 22625418
>ping from the CLI of the router
So, by "router" you mean the PIX? This is by design and working exactly as expected.
Let us know if there is anything else we can do for you..

Featured Post

Gigs: Get Your Project Delivered by an Expert

Select from freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

OpenVPN is a great open source VPN server that is capable of providing quick and easy VPN access to your network on the cheap.  By default the software is configured to allow open access to your network.  But what if you want to restrict users to on…
We recently endured a series of broadcast storms that caused our ISP to shut us down for brief periods of time. After going through a multitude of tests, we determined that the issue was related to Intel NIC drivers on some new HP desktop computers …
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

785 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question