i cannot ping or access remote network from the remote vpn client ?

Unanswered Question
Jul 5th, 2007

I got two pix firewall ( FIREWALL1 and FIREWALL2)

Firewall1 is protecting from the internet

Firewall is protecting from a internal network

LIKE this :

---INTERNET--++FIREWALL1--++--FIREWALL2

i am connecting from home bye cisco vpn client, i receive a ip address from the pool which is 192.168.60.1 255.255.255.0, i am able to ping the the first subnet 192.168.50.0 255.255.255.0 on the Firewall1 but i cannot to ping or access the subnet 192.168.1.0 255.255.255.0 behind the Firewall2

i did some debug FIREWALL2:

FIREWALL2#120: ICMP echo-request from outside:192.168.60.1 to 192.168.1.1 ID=1024 seq=26624 length=40

121: ICMP echo-request from outside:192.168.60.1 to 192.168.1.1 ID=1024 seq=26880 length=40

q122: ICMP echo-request from outside:192.168.60.1 to 192.168.1.1 ID=1024 seq=27136 length=40

q123: ICMP echo-request from outside:192.168.60.1 to 192.168.1.1 ID=1024 seq=27392 length=40

i don't understand why i do have no reply from the remote cisco vpn client

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
acomiskey Thu, 07/05/2007 - 08:19

You are currently only allowing echo-reply, you must allow echo for the ping from outside the pix..

access-list outside_access_in permit icmp any any echo-reply

add

access-list outside_access_in permit icmp any any echo

Please rate helpful posts.

dcoulanges Thu, 07/05/2007 - 08:59

I added your command access-list outside_access_in permit icmp any any echo on both firewall... no success

when i am tring to ping from source of interface inside(192.168.1.1) to the remote cisco vpn client(192.168.60.1) i got that message FIREWALL2

FIREWALL2# ping inside 192.168.60.1

68: ICMP echo request (len 32 id 9233 seq 0) 192.168.1.1 > 192.168.60.1

69: ICMP echo-reply from outside:192.168.60.1 to 192.168.1.1 ID=4388 seq=0 length=40

192.168.60.1 NO response received -- 1000ms

70: ICMP echo request (len 32 id 9233 seq 1) 192.168.1.1 > 192.168.60.1

71: ICMP echo-reply from outside:192.168.60.1 to 192.168.1.1 ID=4388 seq=1 length=40

192.168.60.1 NO response received -- 1000ms

72: ICMP echo request (len 32 id 9233 seq 2) 192.168.1.1 > 192.168.60.1

73: ICMP echo-reply from outside:192.168.60.1 to 192.168.1.1 ID=4388 seq=2 length=40

192.168.60.1 NO response received -- 1000ms

when i am trying to ping from the vpn client(192.168.60.1) to the interface inside(192.168.1.1) of the firewall2 i got that message on the firewall2:

FIREWALL2# 67: ICMP echo-request from outside:192.168.60.1 to 192.168.1.217 ID=1024 seq=3072 length=40

what do you suggest?

acomiskey Thu, 07/05/2007 - 09:01

Didn't realize you were trying to ping the inside interface. To be able to ping the inside pix interface from the vpn client you have to add to pix..

management-access inside

dcoulanges Thu, 07/05/2007 - 14:29

did'not work

i cannot ping or access the network 192.168.1.0/24 from 192.168.60.0(vpn client users)

dcoulanges Fri, 07/06/2007 - 07:33

i added the management-access inside

and did'not work and also

i cannot ping or access the network 192.168.1.0/24 from 192.168.60.0(vpn client users)

acomiskey Fri, 07/06/2007 - 07:39

It appears you do not have a default route on pix 2.

route outside 0.0.0.0 0.0.0.0 192.168.50.1

dcoulanges Fri, 07/06/2007 - 11:05

i added the route do not work maybe it a NAT issue or acl issue

Actions

This Discussion