07-05-2007 08:14 AM
I got two pix firewall ( FIREWALL1 and FIREWALL2)
Firewall1 is protecting from the internet
Firewall is protecting from a internal network
LIKE this :
---INTERNET--++FIREWALL1--++--FIREWALL2
i am connecting from home bye cisco vpn client, i receive a ip address from the pool which is 192.168.60.1 255.255.255.0, i am able to ping the the first subnet 192.168.50.0 255.255.255.0 on the Firewall1 but i cannot to ping or access the subnet 192.168.1.0 255.255.255.0 behind the Firewall2
i did some debug FIREWALL2:
FIREWALL2#120: ICMP echo-request from outside:192.168.60.1 to 192.168.1.1 ID=1024 seq=26624 length=40
121: ICMP echo-request from outside:192.168.60.1 to 192.168.1.1 ID=1024 seq=26880 length=40
q122: ICMP echo-request from outside:192.168.60.1 to 192.168.1.1 ID=1024 seq=27136 length=40
q123: ICMP echo-request from outside:192.168.60.1 to 192.168.1.1 ID=1024 seq=27392 length=40
i don't understand why i do have no reply from the remote cisco vpn client
07-05-2007 08:19 AM
You are currently only allowing echo-reply, you must allow echo for the ping from outside the pix..
access-list outside_access_in permit icmp any any echo-reply
add
access-list outside_access_in permit icmp any any echo
Please rate helpful posts.
07-05-2007 08:59 AM
I added your command access-list outside_access_in permit icmp any any echo on both firewall... no success
when i am tring to ping from source of interface inside(192.168.1.1) to the remote cisco vpn client(192.168.60.1) i got that message FIREWALL2
FIREWALL2# ping inside 192.168.60.1
68: ICMP echo request (len 32 id 9233 seq 0) 192.168.1.1 > 192.168.60.1
69: ICMP echo-reply from outside:192.168.60.1 to 192.168.1.1 ID=4388 seq=0 length=40
192.168.60.1 NO response received -- 1000ms
70: ICMP echo request (len 32 id 9233 seq 1) 192.168.1.1 > 192.168.60.1
71: ICMP echo-reply from outside:192.168.60.1 to 192.168.1.1 ID=4388 seq=1 length=40
192.168.60.1 NO response received -- 1000ms
72: ICMP echo request (len 32 id 9233 seq 2) 192.168.1.1 > 192.168.60.1
73: ICMP echo-reply from outside:192.168.60.1 to 192.168.1.1 ID=4388 seq=2 length=40
192.168.60.1 NO response received -- 1000ms
when i am trying to ping from the vpn client(192.168.60.1) to the interface inside(192.168.1.1) of the firewall2 i got that message on the firewall2:
FIREWALL2# 67: ICMP echo-request from outside:192.168.60.1 to 192.168.1.217 ID=1024 seq=3072 length=40
what do you suggest?
07-05-2007 09:01 AM
Didn't realize you were trying to ping the inside interface. To be able to ping the inside pix interface from the vpn client you have to add to pix..
management-access inside
07-05-2007 02:29 PM
did'not work
i cannot ping or access the network 192.168.1.0/24 from 192.168.60.0(vpn client users)
07-06-2007 07:33 AM
i added the management-access inside
and did'not work and also
i cannot ping or access the network 192.168.1.0/24 from 192.168.60.0(vpn client users)
07-06-2007 07:39 AM
It appears you do not have a default route on pix 2.
route outside 0.0.0.0 0.0.0.0 192.168.50.1
07-06-2007 11:05 AM
i added the route do not work maybe it a NAT issue or acl issue
07-09-2007 05:25 AM
Want to post the current configs?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: