amritpatek Wed, 10/10/2007 - 12:22
User Badges:
  • Silver, 250 points or more

The command you are looking for is "sysopt connection permit-ipsec". What's unusual about this command is that it does not automatically allow icmp packets to come through across an ipsec tunnel. We must specifically permit that. Here's how to do it. The addresses mentioned below are just as an example:


lan behind the pix: 192.168.1.0 255.255.255.0

lan behind the remote site: 172.16.99.0 255.255.255.0


access-list outside permit icmp 172.16.99.0 255.255.255.0 192.168.1.0 255.255.255.0

access-group outside in interface outside


If you wanted to permit icmp from any outside address, you could write that list like this:


access-list outside permit icmp any any


Actions

This Discussion