Can't ping remote SR 520 router, Zone Based Security

Unanswered Question
Jan 4th, 2009


I have an SR 520 router located at my remote site with public IP xx.8.140.226, and private IP

The central office is at public IP xx.60.101.154, and has a scheme. I have a site to site VPN tunnel between the central and remote sites.

It seems to work fine, but I can't ping the remote site from the central site. In other words, I can't ping, the SR520's inside address, from the central site. The SR 520's public address (xx.8.140.226) also cannot be pinged from the internet.

From the remote site, I can ping to the central site fine. I must be using zone based security incorrectly in the attached remote site config? What do I need to do to make the remote site pingable, and preferably the clients behind the remote site SR520 pingable from the central site. Can someone help? It would be much appreciated.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
itccv0822 Mon, 01/05/2009 - 07:42

I was able to resolve these pinging problems. I added a new inspect class map ("allow-ping-in") which matched protocol icmp. I added this class map to the policy affecting traffic from out-zone to self. I also added a policy for out-zone to in-zone and added the same class map to it. So now I can ping the outside interface from the internet, and I seem to be able to ping the clients in the remote site from the central site.

Still, I can't access a server or perform any functions on the clients in the remote site from HQ, only ping them. Do I need to allow tcp and udp access from the out-zone to the in-zone? Or maybe I need to specify that this traffic will come only from HQ, Isn't there any way to specify using the fact that there is a VPN between the 2 sites?

I attached my latest config. Tell me if anyone has any suggestions for it.


itccv0822 Mon, 01/05/2009 - 08:05

Maybe instead of matching protocol icmp coming from out-zone to self, and from out-zone to in-zone, I should have matched default-inspection traffic instead?

itccv0822 Mon, 01/05/2009 - 13:54

Anyone have any idea if I apply "match default-inspection-traffic" to class map "allow-ping-in", will I be able to operate on clients behind this firewall, as in use VNC on them, access a database I have over there?


This Discussion