allowing ping to ipsec remote access clients

Unanswered Question
Sep 19th, 2008
User Badges:

Hi all, can anyone tell me how i can ping my remote access clients from inside my network, there is no access list on the inside interface so I would of thought it should work, do I need to create a rule allowing the echo reply back through ?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
satish_zanjurne Fri, 09/19/2008 - 01:20
User Badges:
  • Silver, 250 points or more


Hi,


If you have established the IPSec with remote access clients, then you should be able to ping them directly, because the IP Address pool for remote access clients , must be routable.


Otherwise,


First Option is


1.The first option is to

setup a specific rule for each type of echo message.


access-list 101 permit icmp any any echo-reply

access-list 101 permit icmp any any source-quench

access-list 101 permit icmp any any unreachable

access-list 101 permit icmp any any time-exceeded

access-group 101 in interface outside


2.Second Option is to to configure ICMP inspection.This allows a trusted IP address to traverse the firewall and

allows replies back to the trusted address only. This way, hosts on all inside interfaces can ping hosts on the

outside and the firewall allows the replies to return. This also gives you the advantage of monitoring the

ICMP traffic that traverses the firewall.


policy-map global_policy

class inspection_default

inspect icmp


HTH...rate if helpful..

carl_townshend Fri, 09/19/2008 - 02:52
User Badges:

how should it normally work, should it work with inspection off, and no access lists, when pinging from inside to outside.

Actions

This Discussion