Solved

Unable to ping Windows PC from a Linux system while on the Cisco PIX VPN

Posted on 2012-12-31
33
1,328 Views
Last Modified: 2013-11-16
From outside using a windows 7 pc, I'm able to vpn into the Cisco PIX firewall and ping all internal addresses fine. I'm able to putty into a Linux box fine and ping the internet and all ip's from inside the network. But I'm unable to ping from the Linux box that behind the Cisco firewall to the vpn address that I was assigned on my windows pc with the firewall off from home. I'm only having issues with this Linux box even though the iptables/firewall are turned off as well. Please help!
0
Comment
Question by:crjaq
  • 15
  • 7
  • 5
  • +2
33 Comments
 
LVL 90

Expert Comment

by:John Hurst
Comment Utility
So you can ping from local Windows 7 to remote Linux.

But from remote Linux, you cannot ping local Windows 7. Is this correct?

What VPN client are you using on Windows 7?  If the built-in VPN client, then it excludes all but tunnel traffic and that may be why you cannot ping it.

To get a two way connection, you may need a local VPN router box.

What most people use is Logmein or the equivalent.

..... Thinkpads_User
0
 
LVL 12

Expert Comment

by:DarinTCH
Comment Utility
Is there explicit permissions for ICMP from Internal (linux) to trusted(VPN) you may have a rule issues.
start with little steps
from the linux box where can you ping or traceroute to along the path to your final destination
does the ping to the IP just die
have u tried via Name Resolution
does DNS return the correct IP address
(depending on which way u try with DNS - may have split brain issue)
but try and let us know what is working
can the linux box ping other systems
0
 
LVL 10

Expert Comment

by:djcanter
Comment Utility
Is the IP assigned to the Win 7 pc in the same subnet as the linux pc ? You likely cant ping any vpn connected devices from the lan. The firewall should allow traffic originating on vpn to connect to lan but not vice versa.
0
 

Author Comment

by:crjaq
Comment Utility
From the linux box, I can ping any other windows or linux box fine from inside. Just can't ping from this linux box to the vpn clients with no replies. But I can ping from other Linux box's to the vpn client.
0
 

Author Comment

by:crjaq
Comment Utility
The IP assigned to the win 7 pc is not on the same subnet as the linux pc. But I'm still able to ping from a different linux box to the win 7. Strange!
0
 
LVL 90

Expert Comment

by:John Hurst
Comment Utility
The IP Address at the other end of any VPN will be on a different subnet. That is normal.

I am not certain at this point why different Linux boxes are responding differently.

You might want to check the promiscuous settings on the network cards.
.... Thinkpads_User
0
 

Author Comment

by:crjaq
Comment Utility
I'm not sure how to do that on that Linux box. Or what to look for.
0
 
LVL 90

Expert Comment

by:John Hurst
Comment Utility
Promiscuous mode is a setting on some but not all network cards. Newer cards may not have the setting. See the following two articles.

http://searchsecurity.techtarget.com/definition/promiscuous-mode   and

http://www.pcreview.co.uk/forums/make-network-adapter-promiscuous-t2312732.html

If your cards don't have the mode, then that is not it, but I do not know what else would allow one linux box to ping and not the other.

.... Thinkpads_User
0
 

Author Comment

by:crjaq
Comment Utility
Great! I'll take a look. The linux box is over 6 years old.
0
 

Author Comment

by:crjaq
Comment Utility
Still no luck after enabling the promisc mode on Linux box.
0
 
LVL 90

Expert Comment

by:John Hurst
Comment Utility
If it is only the one box (as you said above) and the box is 6 years old, there may be some other issue related to the age of the hardware or the Linux build that is on that box. Is it possible to (a) replace the machine, or (b) rebuild Linux on the machine?  

I am probably out of suggestions at this point because you say all other machines are working.

.... Thinkpads_User
0
 

Author Comment

by:crjaq
Comment Utility
It's just several people are using it right now and everything works fine when they can access that Linux box from inside vs. the vpn. It's just a mystery.
0
 
LVL 12

Expert Comment

by:DarinTCH
Comment Utility
so networking in general is not the issue
neither is the firewall basic rules if ALL other linux/WINdows boxes can ping out
(just verifying that there is not a rule which encompasses the'other boxes' and this unit is not included...

still all things discussed seems to point to an issue directly on this Linux box

can the client hit or ping this linux box

when u traceroute what did you see?
Does it fail in at the router...switch...firewall?
0
 

Author Comment

by:crjaq
Comment Utility
Yes. The client can ping and putty the linux box. The traceroute fails from the linux box to the client but there's just one hop from the client to the linux box.
0
 
LVL 10

Expert Comment

by:djcanter
Comment Utility
Can you ping any resource outside the subnet from the linux box? Please post output of traceroute to 4.2.2.2
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 

Author Comment

by:crjaq
Comment Utility
I've posted two traceroute from the Linux box to 4.2.2.2 and to the vpn client 192.168.0.2 below. When I run traceroute from another system Win or Linux to 192.168.0.2, it does reach 10.10.1.1 and the vpn client (two hops) > 192.168.0.2 and I'm able to ping as well. But no routes from the Linux box to the client.

=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2013.01.05 08:28:22 =~=~=~=~=~=~=~=~=~=~=~=
login as: root
root@triton's password:
Last login: Sat Jan  5 09:21:11 2013 from 192.168.0.2

[root@triton ~]# traceroute 4.2.2.2
traceroute to 4.2.2.2 (4.2.2.2), 30 hops max, 38 byte packets
 1  Dell_PowerConnect (10.10.1.1)  0.829 ms  0.183 ms  0.154 ms
 2  158-248-88-238.lightspeed.sndgca.sbcglobal.net (158.248.88.238)  1.467 ms  0.827 ms  0.617 ms
 3  158-225-56-3.lightspeed.sndgca.sbcglobal.net (158.225.56.3)  14.544 ms  9.330 ms  9.783 ms
 4  * * *
 5  * * *
 6  * * *
 7  12.83.70.149 (12.83.70.149)  10.623 ms  10.848 ms 12.83.70.141 (12.83.70.141)  11.447 ms
 8  ggr2.la2ca.ip.att.net (12.122.129.105)  13.905 ms  15.326 ms  11.815 ms
 9  192.205.37.146 (192.205.37.146)  12.954 ms  12.291 ms  12.815 ms
10  vl-3508-ve-122.ebr1.Tustin1.Level3.net (4.69.158.109)  12.743 ms vl-3506-ve-120.ebr1.Tustin1.Level3.net (4.69.158.101)  13.079 ms  12.930 ms
     MPLS Label=1433 CoS=0 TTL=1 S=1
11  ae-6-6.ebr1.LosAngeles1.Level3.net (4.69.153.221)  13.853 ms  13.894 ms  13.532 ms
     MPLS Label=1469 CoS=0 TTL=1 S=1
12  ae-83-83.csw3.LosAngeles1.Level3.net (4.69.137.42)  16.321 ms ae-63-63.csw1.LosAngeles1.Level3.net (4.69.137.34)  15.473 ms ae-73-73.csw2.LosAngeles1.Level3.net (4.69.137.38)  16.207 ms
     MPLS Label=1459 CoS=0 TTL=1 S=1
13  ae-1-60.edge3.LosAngeles1.Level3.net (4.69.144.9)  15.999 ms  16.148 ms ae-4-90.edge3.LosAngeles1.Level3.net (4.69.144.201)  17.729 ms
14  b.resolvers.Level3.net (4.2.2.2)  13.728 ms  18.763 ms  13.514 ms
]0;root@triton:~[root@triton ~]# exit
logout


----------------------------------------------------------------------------------------------------------------------------

=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2013.01.05 08:49:33 =~=~=~=~=~=~=~=~=~=~=~=
login as: root
root@triton's password:
Last login: Sat Jan  5 09:40:39 2013 from mars.hq.pulselink.net

[root@triton ~]# tracert 192.168.0.2
-bash: tracert: command not found
[root@triton ~]# traceroute 192.168.0.2
traceroute to 192.168.0.2 (192.168.0.2), 30 hops max, 38 byte packets
 1  * * *
 2  * * *
 3  * * *
 4  * * *
 5  * * *
 6  * * *
 7  * * *
 8  * * *

[root@triton ~]# exit
logout
0
 
LVL 10

Expert Comment

by:djcanter
Comment Utility
I am half stumped. Assuming the powerconnect at 10.10.1.1 is running layer 3, what acls are configured there?
0
 

Author Comment

by:crjaq
Comment Utility
There are none. I'm stumped!
0
 
LVL 90

Expert Comment

by:John Hurst
Comment Utility
@crjaq - Way back in this thread, this issue applies to one single box and it is an old box (6 years). It is time for a newer machine?  

... Thinkpads_User
0
 
LVL 10

Expert Comment

by:djcanter
Comment Utility
Its not a routing issue since inbound connections are returned. There is an ACL somewhere blocking this.
0
 

Author Comment

by:crjaq
Comment Utility
I have a NAT exemption allowing all traffic from inside to the vpn client address pool > 192.168.0.*.
0
 
LVL 17

Expert Comment

by:Garry-G
Comment Utility
Did you try to do a packet capture (e.g. wireshark) on the windows box while being pinged from the linux box? Do the counters for the VPN connection increase on both the PIX and the VPN client? (should be pretty visible while doing a flood-ping) If both counters increase, it's  problem with the windows box itself, if only the PIX side goes up, it's most likely something in the client ... if neither increase, we need to be looking at the PIX ...
Edit: Just noticed another comment you added earlier about only this one linux box not being able to contact the outside VPN clients. Did you run a packet capture on the PIX to see whether the packets for the VPN clients even arrived at the PIX? Should be pretty clear, as it can be contacted from the outside, but ...
0
 

Author Comment

by:crjaq
Comment Utility
The packet tracer run on the PIX inside interface from the VPN client to the Linux box and vice versa was allowed successfully. The packet cature on the windows box from the linux box showed no replies.

Interesting note: When I ping from the linux box to the VPN client, I get Deny messages on the PIX log viewer listed below. But I don't get any deny messages when I ping from any other box. So it could be a ACL issue on the PIX after all? What is 192.168.0.26?

--------------------------------------------------------------------------------------------------------------------------------
4      Jan 06 2013      11:49:16      106023      192.168.0.26      192.168.0.2       Deny icmp src inside:192.168.0.26 dst Outside:192.168.0.2 (type 8, code 0) by access-group "inside_access_in_1" [0x0, 0x0]

"%PIX|ASA-4-106023: Deny protocol src [interface_name:source_address/source_port] dst interface_name:dest_address/dest_port [type {string}, code {code}] by access_group acl_ID
An IP packet was denied by the ACL. This message displays even if you do not have the log option enabled for an ACL."
------------------------------------------------------------------------------------------------------------------------------
0
 

Author Comment

by:crjaq
Comment Utility
I get this warning on the PIX when I run a packet trace (packet type IP not TCP) from the linux box to the VPN client even though the packet is allowed:

4      Jan 06 2013      12:52:52      313005                   No matching connection for ICMP error message: icmp src Outside:192.168.0.2 dst inside:Triton (type 3, code 2) on Outside interface.  Original IP payload: <unknown>.


%PIX|ASA-4-313005: No matching connection for ICMP error message: icmp_msg_info on interface_name interface. Original IP payload: embedded_frame_info icmp_msg_info = icmp src src_interface_name:src_address dst dest_interface_name:dest_address (type icmp_type, code icmp_code) embedded_frame_info = prot src source_address/source_port dst dest_address/dest_port
ICMP error packets were dropped by the security appliance because the ICMP error messages are not related to any session already established in the security appliance.
0
 
LVL 10

Expert Comment

by:djcanter
Comment Utility
Stateful inspection is enabled. Thats why you see  
no active sessions message.
0
 

Author Comment

by:crjaq
Comment Utility
Ok. Does that also apply to this message as well?

------------------------------------------------------------------------------------------------------------------------------
4      Jan 06 2013      11:49:16      106023      192.168.0.26      192.168.0.2       Deny icmp src inside:192.168.0.26 dst Outside:192.168.0.2 (type 8, code 0) by access-group "inside_access_in_1" [0x0, 0x0]

"%PIX|ASA-4-106023: Deny protocol src [interface_name:source_address/source_port] dst interface_name:dest_address/dest_port [type {string}, code {code}] by access_group acl_ID
An IP packet was denied by the ACL. This message displays even if you do not have the log option enabled for an ACL."
-------------------------------------------------------------------------------------------------------------------------------
0
 

Author Comment

by:crjaq
Comment Utility
We ended using another Linux box since we weren't able to resolve.
Thank you for all your responses.
0
 
LVL 90

Accepted Solution

by:
John Hurst earned 500 total points
Comment Utility
Replace the machine was my answer way back here, so you should probably now close the question.
.... Thinkpads_User
0
 

Author Closing Comment

by:crjaq
Comment Utility
Thanks!
0
 
LVL 90

Expert Comment

by:John Hurst
Comment Utility
Thank you and I was very happy to help.
... Thinkpads_User
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now