i cannot ping or access remote network from the remote vpn client ?

dcoulanges · ‎07-05-2007

I got two pix firewall ( FIREWALL1 and FIREWALL2)

Firewall1 is protecting from the internet

Firewall is protecting from a internal network

LIKE this :

---INTERNET--++FIREWALL1--++--FIREWALL2

i am connecting from home bye cisco vpn client, i receive a ip address from the pool which is 192.168.60.1 255.255.255.0, i am able to ping the the first subnet 192.168.50.0 255.255.255.0 on the Firewall1 but i cannot to ping or access the subnet 192.168.1.0 255.255.255.0 behind the Firewall2

i did some debug FIREWALL2:

FIREWALL2#120: ICMP echo-request from outside:192.168.60.1 to 192.168.1.1 ID=1024 seq=26624 length=40

121: ICMP echo-request from outside:192.168.60.1 to 192.168.1.1 ID=1024 seq=26880 length=40

q122: ICMP echo-request from outside:192.168.60.1 to 192.168.1.1 ID=1024 seq=27136 length=40

q123: ICMP echo-request from outside:192.168.60.1 to 192.168.1.1 ID=1024 seq=27392 length=40

i don't understand why i do have no reply from the remote cisco vpn client

acomiskey · ‎07-05-2007

You are currently only allowing echo-reply, you must allow echo for the ping from outside the pix..

access-list outside_access_in permit icmp any any echo-reply

add

access-list outside_access_in permit icmp any any echo

Please rate helpful posts.

dcoulanges · ‎07-05-2007

I added your command access-list outside_access_in permit icmp any any echo on both firewall... no success

when i am tring to ping from source of interface inside(192.168.1.1) to the remote cisco vpn client(192.168.60.1) i got that message FIREWALL2

FIREWALL2# ping inside 192.168.60.1

68: ICMP echo request (len 32 id 9233 seq 0) 192.168.1.1 > 192.168.60.1

69: ICMP echo-reply from outside:192.168.60.1 to 192.168.1.1 ID=4388 seq=0 length=40

192.168.60.1 NO response received -- 1000ms

70: ICMP echo request (len 32 id 9233 seq 1) 192.168.1.1 > 192.168.60.1

71: ICMP echo-reply from outside:192.168.60.1 to 192.168.1.1 ID=4388 seq=1 length=40

192.168.60.1 NO response received -- 1000ms

72: ICMP echo request (len 32 id 9233 seq 2) 192.168.1.1 > 192.168.60.1

73: ICMP echo-reply from outside:192.168.60.1 to 192.168.1.1 ID=4388 seq=2 length=40

192.168.60.1 NO response received -- 1000ms

when i am trying to ping from the vpn client(192.168.60.1) to the interface inside(192.168.1.1) of the firewall2 i got that message on the firewall2:

FIREWALL2# 67: ICMP echo-request from outside:192.168.60.1 to 192.168.1.217 ID=1024 seq=3072 length=40

what do you suggest?

acomiskey · ‎07-05-2007

Didn't realize you were trying to ping the inside interface. To be able to ping the inside pix interface from the vpn client you have to add to pix..

management-access inside

dcoulanges · ‎07-05-2007

did'not work

i cannot ping or access the network 192.168.1.0/24 from 192.168.60.0(vpn client users)

dcoulanges · ‎07-06-2007

i added the management-access inside

and did'not work and also

i cannot ping or access the network 192.168.1.0/24 from 192.168.60.0(vpn client users)

acomiskey · ‎07-06-2007

It appears you do not have a default route on pix 2.

route outside 0.0.0.0 0.0.0.0 192.168.50.1

dcoulanges · ‎07-06-2007

i added the route do not work maybe it a NAT issue or acl issue

acomiskey · ‎07-09-2007

Want to post the current configs?