Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Unable to ping Windows PC from a Linux system while on the Cisco PIX VPN

Posted on 2012-12-31
33
Medium Priority
?
1,368 Views
Last Modified: 2013-11-16
From outside using a windows 7 pc, I'm able to vpn into the Cisco PIX firewall and ping all internal addresses fine. I'm able to putty into a Linux box fine and ping the internet and all ip's from inside the network. But I'm unable to ping from the Linux box that behind the Cisco firewall to the vpn address that I was assigned on my windows pc with the firewall off from home. I'm only having issues with this Linux box even though the iptables/firewall are turned off as well. Please help!
0
Comment
Question by:crjaq
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 15
  • 7
  • 5
  • +2
33 Comments
 
LVL 98

Expert Comment

by:John Hurst
ID: 38732759
So you can ping from local Windows 7 to remote Linux.

But from remote Linux, you cannot ping local Windows 7. Is this correct?

What VPN client are you using on Windows 7?  If the built-in VPN client, then it excludes all but tunnel traffic and that may be why you cannot ping it.

To get a two way connection, you may need a local VPN router box.

What most people use is Logmein or the equivalent.

..... Thinkpads_User
0
 
LVL 12

Expert Comment

by:DarinTCH
ID: 38732790
Is there explicit permissions for ICMP from Internal (linux) to trusted(VPN) you may have a rule issues.
start with little steps
from the linux box where can you ping or traceroute to along the path to your final destination
does the ping to the IP just die
have u tried via Name Resolution
does DNS return the correct IP address
(depending on which way u try with DNS - may have split brain issue)
but try and let us know what is working
can the linux box ping other systems
0
 
LVL 10

Expert Comment

by:djcanter
ID: 38732794
Is the IP assigned to the Win 7 pc in the same subnet as the linux pc ? You likely cant ping any vpn connected devices from the lan. The firewall should allow traffic originating on vpn to connect to lan but not vice versa.
0
Q2 2017 - Latest Malware & Internet Attacks

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out our latest Quarterly Internet Security Report!

 

Author Comment

by:crjaq
ID: 38732855
From the linux box, I can ping any other windows or linux box fine from inside. Just can't ping from this linux box to the vpn clients with no replies. But I can ping from other Linux box's to the vpn client.
0
 

Author Comment

by:crjaq
ID: 38732862
The IP assigned to the win 7 pc is not on the same subnet as the linux pc. But I'm still able to ping from a different linux box to the win 7. Strange!
0
 
LVL 98

Expert Comment

by:John Hurst
ID: 38732876
The IP Address at the other end of any VPN will be on a different subnet. That is normal.

I am not certain at this point why different Linux boxes are responding differently.

You might want to check the promiscuous settings on the network cards.
.... Thinkpads_User
0
 

Author Comment

by:crjaq
ID: 38732892
I'm not sure how to do that on that Linux box. Or what to look for.
0
 
LVL 98

Expert Comment

by:John Hurst
ID: 38732920
Promiscuous mode is a setting on some but not all network cards. Newer cards may not have the setting. See the following two articles.

http://searchsecurity.techtarget.com/definition/promiscuous-mode   and

http://www.pcreview.co.uk/forums/make-network-adapter-promiscuous-t2312732.html

If your cards don't have the mode, then that is not it, but I do not know what else would allow one linux box to ping and not the other.

.... Thinkpads_User
0
 

Author Comment

by:crjaq
ID: 38732962
Great! I'll take a look. The linux box is over 6 years old.
0
 

Author Comment

by:crjaq
ID: 38733085
Still no luck after enabling the promisc mode on Linux box.
0
 
LVL 98

Expert Comment

by:John Hurst
ID: 38733098
If it is only the one box (as you said above) and the box is 6 years old, there may be some other issue related to the age of the hardware or the Linux build that is on that box. Is it possible to (a) replace the machine, or (b) rebuild Linux on the machine?  

I am probably out of suggestions at this point because you say all other machines are working.

.... Thinkpads_User
0
 

Author Comment

by:crjaq
ID: 38733131
It's just several people are using it right now and everything works fine when they can access that Linux box from inside vs. the vpn. It's just a mystery.
0
 
LVL 12

Expert Comment

by:DarinTCH
ID: 38733316
so networking in general is not the issue
neither is the firewall basic rules if ALL other linux/WINdows boxes can ping out
(just verifying that there is not a rule which encompasses the'other boxes' and this unit is not included...

still all things discussed seems to point to an issue directly on this Linux box

can the client hit or ping this linux box

when u traceroute what did you see?
Does it fail in at the router...switch...firewall?
0
 

Author Comment

by:crjaq
ID: 38733408
Yes. The client can ping and putty the linux box. The traceroute fails from the linux box to the client but there's just one hop from the client to the linux box.
0
 
LVL 10

Expert Comment

by:djcanter
ID: 38746799
Can you ping any resource outside the subnet from the linux box? Please post output of traceroute to 4.2.2.2
0
 

Author Comment

by:crjaq
ID: 38746993
I've posted two traceroute from the Linux box to 4.2.2.2 and to the vpn client 192.168.0.2 below. When I run traceroute from another system Win or Linux to 192.168.0.2, it does reach 10.10.1.1 and the vpn client (two hops) > 192.168.0.2 and I'm able to ping as well. But no routes from the Linux box to the client.

=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2013.01.05 08:28:22 =~=~=~=~=~=~=~=~=~=~=~=
login as: root
root@triton's password:
Last login: Sat Jan  5 09:21:11 2013 from 192.168.0.2

[root@triton ~]# traceroute 4.2.2.2
traceroute to 4.2.2.2 (4.2.2.2), 30 hops max, 38 byte packets
 1  Dell_PowerConnect (10.10.1.1)  0.829 ms  0.183 ms  0.154 ms
 2  158-248-88-238.lightspeed.sndgca.sbcglobal.net (158.248.88.238)  1.467 ms  0.827 ms  0.617 ms
 3  158-225-56-3.lightspeed.sndgca.sbcglobal.net (158.225.56.3)  14.544 ms  9.330 ms  9.783 ms
 4  * * *
 5  * * *
 6  * * *
 7  12.83.70.149 (12.83.70.149)  10.623 ms  10.848 ms 12.83.70.141 (12.83.70.141)  11.447 ms
 8  ggr2.la2ca.ip.att.net (12.122.129.105)  13.905 ms  15.326 ms  11.815 ms
 9  192.205.37.146 (192.205.37.146)  12.954 ms  12.291 ms  12.815 ms
10  vl-3508-ve-122.ebr1.Tustin1.Level3.net (4.69.158.109)  12.743 ms vl-3506-ve-120.ebr1.Tustin1.Level3.net (4.69.158.101)  13.079 ms  12.930 ms
     MPLS Label=1433 CoS=0 TTL=1 S=1
11  ae-6-6.ebr1.LosAngeles1.Level3.net (4.69.153.221)  13.853 ms  13.894 ms  13.532 ms
     MPLS Label=1469 CoS=0 TTL=1 S=1
12  ae-83-83.csw3.LosAngeles1.Level3.net (4.69.137.42)  16.321 ms ae-63-63.csw1.LosAngeles1.Level3.net (4.69.137.34)  15.473 ms ae-73-73.csw2.LosAngeles1.Level3.net (4.69.137.38)  16.207 ms
     MPLS Label=1459 CoS=0 TTL=1 S=1
13  ae-1-60.edge3.LosAngeles1.Level3.net (4.69.144.9)  15.999 ms  16.148 ms ae-4-90.edge3.LosAngeles1.Level3.net (4.69.144.201)  17.729 ms
14  b.resolvers.Level3.net (4.2.2.2)  13.728 ms  18.763 ms  13.514 ms
]0;root@triton:~[root@triton ~]# exit
logout


----------------------------------------------------------------------------------------------------------------------------

=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2013.01.05 08:49:33 =~=~=~=~=~=~=~=~=~=~=~=
login as: root
root@triton's password:
Last login: Sat Jan  5 09:40:39 2013 from mars.hq.pulselink.net

[root@triton ~]# tracert 192.168.0.2
-bash: tracert: command not found
[root@triton ~]# traceroute 192.168.0.2
traceroute to 192.168.0.2 (192.168.0.2), 30 hops max, 38 byte packets
 1  * * *
 2  * * *
 3  * * *
 4  * * *
 5  * * *
 6  * * *
 7  * * *
 8  * * *

[root@triton ~]# exit
logout
0
 
LVL 10

Expert Comment

by:djcanter
ID: 38747081
I am half stumped. Assuming the powerconnect at 10.10.1.1 is running layer 3, what acls are configured there?
0
 

Author Comment

by:crjaq
ID: 38747167
There are none. I'm stumped!
0
 
LVL 98

Expert Comment

by:John Hurst
ID: 38747177
@crjaq - Way back in this thread, this issue applies to one single box and it is an old box (6 years). It is time for a newer machine?  

... Thinkpads_User
0
 
LVL 10

Expert Comment

by:djcanter
ID: 38747227
Its not a routing issue since inbound connections are returned. There is an ACL somewhere blocking this.
0
 

Author Comment

by:crjaq
ID: 38747286
I have a NAT exemption allowing all traffic from inside to the vpn client address pool > 192.168.0.*.
0
 
LVL 18

Expert Comment

by:Garry Glendown
ID: 38748170
Did you try to do a packet capture (e.g. wireshark) on the windows box while being pinged from the linux box? Do the counters for the VPN connection increase on both the PIX and the VPN client? (should be pretty visible while doing a flood-ping) If both counters increase, it's  problem with the windows box itself, if only the PIX side goes up, it's most likely something in the client ... if neither increase, we need to be looking at the PIX ...
Edit: Just noticed another comment you added earlier about only this one linux box not being able to contact the outside VPN clients. Did you run a packet capture on the PIX to see whether the packets for the VPN clients even arrived at the PIX? Should be pretty clear, as it can be contacted from the outside, but ...
0
 

Author Comment

by:crjaq
ID: 38748980
The packet tracer run on the PIX inside interface from the VPN client to the Linux box and vice versa was allowed successfully. The packet cature on the windows box from the linux box showed no replies.

Interesting note: When I ping from the linux box to the VPN client, I get Deny messages on the PIX log viewer listed below. But I don't get any deny messages when I ping from any other box. So it could be a ACL issue on the PIX after all? What is 192.168.0.26?

--------------------------------------------------------------------------------------------------------------------------------
4      Jan 06 2013      11:49:16      106023      192.168.0.26      192.168.0.2       Deny icmp src inside:192.168.0.26 dst Outside:192.168.0.2 (type 8, code 0) by access-group "inside_access_in_1" [0x0, 0x0]

"%PIX|ASA-4-106023: Deny protocol src [interface_name:source_address/source_port] dst interface_name:dest_address/dest_port [type {string}, code {code}] by access_group acl_ID
An IP packet was denied by the ACL. This message displays even if you do not have the log option enabled for an ACL."
------------------------------------------------------------------------------------------------------------------------------
0
 

Author Comment

by:crjaq
ID: 38749102
I get this warning on the PIX when I run a packet trace (packet type IP not TCP) from the linux box to the VPN client even though the packet is allowed:

4      Jan 06 2013      12:52:52      313005                   No matching connection for ICMP error message: icmp src Outside:192.168.0.2 dst inside:Triton (type 3, code 2) on Outside interface.  Original IP payload: <unknown>.


%PIX|ASA-4-313005: No matching connection for ICMP error message: icmp_msg_info on interface_name interface. Original IP payload: embedded_frame_info icmp_msg_info = icmp src src_interface_name:src_address dst dest_interface_name:dest_address (type icmp_type, code icmp_code) embedded_frame_info = prot src source_address/source_port dst dest_address/dest_port
ICMP error packets were dropped by the security appliance because the ICMP error messages are not related to any session already established in the security appliance.
0
 
LVL 10

Expert Comment

by:djcanter
ID: 38749183
Stateful inspection is enabled. Thats why you see  
no active sessions message.
0
 

Author Comment

by:crjaq
ID: 38754576
Ok. Does that also apply to this message as well?

------------------------------------------------------------------------------------------------------------------------------
4      Jan 06 2013      11:49:16      106023      192.168.0.26      192.168.0.2       Deny icmp src inside:192.168.0.26 dst Outside:192.168.0.2 (type 8, code 0) by access-group "inside_access_in_1" [0x0, 0x0]

"%PIX|ASA-4-106023: Deny protocol src [interface_name:source_address/source_port] dst interface_name:dest_address/dest_port [type {string}, code {code}] by access_group acl_ID
An IP packet was denied by the ACL. This message displays even if you do not have the log option enabled for an ACL."
-------------------------------------------------------------------------------------------------------------------------------
0
 

Author Comment

by:crjaq
ID: 38915067
We ended using another Linux box since we weren't able to resolve.
Thank you for all your responses.
0
 
LVL 98

Accepted Solution

by:
John Hurst earned 2000 total points
ID: 38915256
Replace the machine was my answer way back here, so you should probably now close the question.
.... Thinkpads_User
0
 

Author Closing Comment

by:crjaq
ID: 38915276
Thanks!
0
 
LVL 98

Expert Comment

by:John Hurst
ID: 38915287
Thank you and I was very happy to help.
... Thinkpads_User
0

Featured Post

Cyber Threats to Small Businesses (Part 2)

The evolving cybersecurity landscape presents SMBs with a host of new threats to their clients, their data, and their bottom line. In part 2 of this blog series, learn three quick processes Webroot’s CISO, Gary Hayslip, recommends to help small businesses beat modern threats.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Let’s face it: one of the reasons your organization chose a SaaS solution (whether Microsoft Dynamics 365, Netsuite or SAP) is that it is subscription-based. The upkeep is done. Or so you think.
As managed cloud service providers, we often get asked to intervene when cloud deployments go awry. Attracted by apparent ease-of-use, flexibility and low computing costs, companies quickly adopt leading public cloud platforms such as Amazon Web Ser…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Suggested Courses

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question