i cannot ping or access remote network from the remote vpn client ?

Unanswered Question
Jul 5th, 2007
User Badges:

I got two pix firewall ( FIREWALL1 and FIREWALL2)

Firewall1 is protecting from the internet

Firewall is protecting from a internal network

LIKE this :

---INTERNET--++FIREWALL1--++--FIREWALL2

i am connecting from home bye cisco vpn client, i receive a ip address from the pool which is 192.168.60.1 255.255.255.0, i am able to ping the the first subnet 192.168.50.0 255.255.255.0 on the Firewall1 but i cannot to ping or access the subnet 192.168.1.0 255.255.255.0 behind the Firewall2


i did some debug FIREWALL2:

FIREWALL2#120: ICMP echo-request from outside:192.168.60.1 to 192.168.1.1 ID=1024 seq=26624 length=40

121: ICMP echo-request from outside:192.168.60.1 to 192.168.1.1 ID=1024 seq=26880 length=40

q122: ICMP echo-request from outside:192.168.60.1 to 192.168.1.1 ID=1024 seq=27136 length=40

q123: ICMP echo-request from outside:192.168.60.1 to 192.168.1.1 ID=1024 seq=27392 length=40


i don't understand why i do have no reply from the remote cisco vpn client



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
acomiskey Thu, 07/05/2007 - 08:19
User Badges:
  • Green, 3000 points or more

You are currently only allowing echo-reply, you must allow echo for the ping from outside the pix..


access-list outside_access_in permit icmp any any echo-reply


add


access-list outside_access_in permit icmp any any echo


Please rate helpful posts.



dcoulanges Thu, 07/05/2007 - 08:59
User Badges:

I added your command access-list outside_access_in permit icmp any any echo on both firewall... no success




when i am tring to ping from source of interface inside(192.168.1.1) to the remote cisco vpn client(192.168.60.1) i got that message FIREWALL2

FIREWALL2# ping inside 192.168.60.1

68: ICMP echo request (len 32 id 9233 seq 0) 192.168.1.1 > 192.168.60.1

69: ICMP echo-reply from outside:192.168.60.1 to 192.168.1.1 ID=4388 seq=0 length=40

192.168.60.1 NO response received -- 1000ms

70: ICMP echo request (len 32 id 9233 seq 1) 192.168.1.1 > 192.168.60.1

71: ICMP echo-reply from outside:192.168.60.1 to 192.168.1.1 ID=4388 seq=1 length=40

192.168.60.1 NO response received -- 1000ms

72: ICMP echo request (len 32 id 9233 seq 2) 192.168.1.1 > 192.168.60.1

73: ICMP echo-reply from outside:192.168.60.1 to 192.168.1.1 ID=4388 seq=2 length=40

192.168.60.1 NO response received -- 1000ms



when i am trying to ping from the vpn client(192.168.60.1) to the interface inside(192.168.1.1) of the firewall2 i got that message on the firewall2:

FIREWALL2# 67: ICMP echo-request from outside:192.168.60.1 to 192.168.1.217 ID=1024 seq=3072 length=40



what do you suggest?

acomiskey Thu, 07/05/2007 - 09:01
User Badges:
  • Green, 3000 points or more

Didn't realize you were trying to ping the inside interface. To be able to ping the inside pix interface from the vpn client you have to add to pix..


management-access inside

dcoulanges Thu, 07/05/2007 - 14:29
User Badges:

did'not work

i cannot ping or access the network 192.168.1.0/24 from 192.168.60.0(vpn client users)



dcoulanges Fri, 07/06/2007 - 07:33
User Badges:

i added the management-access inside

and did'not work and also

i cannot ping or access the network 192.168.1.0/24 from 192.168.60.0(vpn client users)

acomiskey Fri, 07/06/2007 - 07:39
User Badges:
  • Green, 3000 points or more

It appears you do not have a default route on pix 2.


route outside 0.0.0.0 0.0.0.0 192.168.50.1

dcoulanges Fri, 07/06/2007 - 11:05
User Badges:

i added the route do not work maybe it a NAT issue or acl issue

acomiskey Mon, 07/09/2007 - 05:25
User Badges:
  • Green, 3000 points or more

Want to post the current configs?

Actions

This Discussion