Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
673
Views
0
Helpful
4
Replies

Can't Ping Across PIX 515e

reeddavid
Level 1
Level 1

‎10-30-2007 08:07 AM - edited ‎02-21-2020 01:45 AM

I am able to connect to my PIX 515e but after I am connected I can't ping across it. I try to ping the inside from a PC that I have directly connected to the outside. Here is the config file, hope this helps.

MTBFirewall(config)# sh run

: Saved

:

PIX Version 7.0(4)

!

hostname MTBFirewall

domain-name default.domain.invalid

enable password xxx

names

!

interface Ethernet0

nameif outside

security-level 0

ip address 209.x.x.x.255.255.0

!

interface Ethernet1

nameif inside

security-level 100

ip address 172.30.4.100 255.255.255.0

!

interface Ethernet2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet3

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet4

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet5

shutdown

no nameif

no security-level

no ip address

!

passwd xxx

ftp mode passive

access-list nonat extended permit ip 172.30.4.0 255.255.255.0 172.30.8.0 255.255.255.0

access-list test extended permit ip 172.30.4.0 255.255.255.0 any

access-list test extended permit ip any 172.30.4.0 255.255.255.0

pager lines 24

logging asdm informational

mtu outside 1500

mtu inside 1500

ip local pool vpnpool 172.30.8.1-172.30.8.100 mask 255.255.255.0

no failover

asdm image flash:/asdm

no asdm history enable

arp timeout 14400

nat (inside) 0 access-list nonat

nat (inside) 1 172.30.4.0 255.255.255.0

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

group-policy Administrator internal

group-policy vpncert internal

group-policy vpncert attributes

vpn-idle-timeout 30

username reedd password xxx encrypted

http server enable

http 172.30.4.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set myset esp-3des esp-md5-hmac

crypto dynamic-map dynmap 10 set transform-set myset

crypto map mymap 10 ipsec-isakmp dynamic dynmap

crypto map mymap interface outside

isakmp enable outside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

isakmp nat-traversal 20

tunnel-group vpncert type ipsec-ra

tunnel-group vpncert general-attributes

address-pool vpnpool

default-group-policy vpncert

tunnel-group vpncert ipsec-attributes

pre-shared-key *

telnet timeout 5

ssh timeout 5

console timeout 0

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

Cryptochecksum:xxx

: end

0 Helpful
4 Replies 4

sundar.palaniappan
Level 10
Level 10

‎10-30-2007 01:01 PM

David,

For outside to inside connection you need a couple of things - static and ACL.

Here's a sample configuration that would give you an idea.

Let's say you have the following setup. If you want to ping the inside host from outside then the configuration below would make it work.

Inside PC - 172.30.4.50

Outside PC - 209.16.115.2

static (inside,outside) 172.30.4.50 172.30.4.50

access-list acl_outside permit icmp host 209.16.115.2 host 172.30.4.50

access-group acl_outside in interface outside

In this example the static is doing no-nat of inside address but you can use a global address for the inside host if you desire so.

HTH

Sundar

0 Helpful

reeddavid
Level 1
Level 1
In response to sundar.palaniappan

‎10-31-2007 05:30 AM

Sundar,

It seems to me that you are creating an explicit ACL to allow the outside PC access through to the inside. What I want is any PC that gets a new IP address from the vpnpool to be able to ping the inside.

Is your way the only way to do this, because it seems to bypass the vpn.

0 Helpful

ajagadee
Cisco Employee
Cisco Employee

‎11-01-2007 09:33 AM

Hi,

After you connect the VPN Client and try to ping an IP Address on the inside, do you see counters increasing under Packets TX and RX on the client side. If you see only TX getting increased, can you do a "show crypto ipsec sa" and look for packets Encrypts and Decrypts.

Also, do a clear xlate on the Pix and try pinging again.

I hope it helps.

Regards,

Arul

0 Helpful

jmiller
Level 1
Level 1

‎11-02-2007 08:46 PM

crypto map mymap 10 set reverse-route to allow your routing to work correctly for this tunnel back to your client. And if you want to access the internet given you do not want split tunnel and you have DNS servers specified under your group accross this VPN tunnel you should specify your config like this.

nat (outside) 1 172.30.8.0 255.255.255.0

global (outside) 1 int

HTH

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card