07-05-2007 08:14 AM
I got two pix firewall ( FIREWALL1 and FIREWALL2)
Firewall1 is protecting from the internet
Firewall is protecting from a internal network
LIKE this :
---INTERNET--++FIREWALL1--++--FIREWALL2
i am connecting from home bye cisco vpn client, i receive a ip address from the pool which is 192.168.60.1 255.255.255.0, i am able to ping the the first subnet 192.168.50.0 255.255.255.0 on the Firewall1 but i cannot to ping or access the subnet 192.168.1.0 255.255.255.0 behind the Firewall2
i did some debug FIREWALL2:
FIREWALL2#120: ICMP echo-request from outside:192.168.60.1 to 192.168.1.1 ID=1024 seq=26624 length=40
121: ICMP echo-request from outside:192.168.60.1 to 192.168.1.1 ID=1024 seq=26880 length=40
q122: ICMP echo-request from outside:192.168.60.1 to 192.168.1.1 ID=1024 seq=27136 length=40
q123: ICMP echo-request from outside:192.168.60.1 to 192.168.1.1 ID=1024 seq=27392 length=40
i don't understand why i do have no reply from the remote cisco vpn client
07-05-2007 08:19 AM
You are currently only allowing echo-reply, you must allow echo for the ping from outside the pix..
access-list outside_access_in permit icmp any any echo-reply
add
access-list outside_access_in permit icmp any any echo
Please rate helpful posts.
07-05-2007 08:59 AM
I added your command access-list outside_access_in permit icmp any any echo on both firewall... no success
when i am tring to ping from source of interface inside(192.168.1.1) to the remote cisco vpn client(192.168.60.1) i got that message FIREWALL2
FIREWALL2# ping inside 192.168.60.1
68: ICMP echo request (len 32 id 9233 seq 0) 192.168.1.1 > 192.168.60.1
69: ICMP echo-reply from outside:192.168.60.1 to 192.168.1.1 ID=4388 seq=0 length=40
192.168.60.1 NO response received -- 1000ms
70: ICMP echo request (len 32 id 9233 seq 1) 192.168.1.1 > 192.168.60.1
71: ICMP echo-reply from outside:192.168.60.1 to 192.168.1.1 ID=4388 seq=1 length=40
192.168.60.1 NO response received -- 1000ms
72: ICMP echo request (len 32 id 9233 seq 2) 192.168.1.1 > 192.168.60.1
73: ICMP echo-reply from outside:192.168.60.1 to 192.168.1.1 ID=4388 seq=2 length=40
192.168.60.1 NO response received -- 1000ms
when i am trying to ping from the vpn client(192.168.60.1) to the interface inside(192.168.1.1) of the firewall2 i got that message on the firewall2:
FIREWALL2# 67: ICMP echo-request from outside:192.168.60.1 to 192.168.1.217 ID=1024 seq=3072 length=40
what do you suggest?
07-05-2007 09:01 AM
Didn't realize you were trying to ping the inside interface. To be able to ping the inside pix interface from the vpn client you have to add to pix..
management-access inside
07-05-2007 02:29 PM
did'not work
i cannot ping or access the network 192.168.1.0/24 from 192.168.60.0(vpn client users)
07-06-2007 07:33 AM
i added the management-access inside
and did'not work and also
i cannot ping or access the network 192.168.1.0/24 from 192.168.60.0(vpn client users)
07-06-2007 07:39 AM
It appears you do not have a default route on pix 2.
route outside 0.0.0.0 0.0.0.0 192.168.50.1
07-06-2007 11:05 AM
i added the route do not work maybe it a NAT issue or acl issue
07-09-2007 05:25 AM
Want to post the current configs?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide