Site to Site VPN: PIX v6.3 and Router v12.4

Unanswered Question
Feb 17th, 2009


I setup a site-to-site VPN between a router and a PIX. The tunnel is up and I can access both sites when ping from users connected LAN (both sites). The issue is when I login to the router console, then from their I can't ping the other site but when i issue this command "PING SOURCE" it is successful. By using this command "PING" it is not successful.

I need this for the VoIP configuration.

dial-peer voice 4001 voip

destination-pattern 1..

voice-class h323 1

session target ipv4:

dtmf-relay h245-alphanumeric

codec g711ulaw

Voice gateway resides at LAN B.

Network Topology.

LAN-A<-->ROUTER<-- WAN --->PIX<--> LAN-B

LAN A network: 1.1.1.x/24

LAN B network: 2.2.2.x/24

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
JamesLuther Tue, 02/17/2009 - 04:10


I'm going to guess why this without seeig the full config....

The difference between the two situations is that when you type "PING" the packet doesn't match the VPN ACL and therefore is sent out onto the internet in plain text with a source IP of your outside interface.

When you type "PING SOURCE" the traffic will now match the VPN ACL and is encrypted and sent down the tunnel.

Rejohn Ronald Cuares Tue, 02/17/2009 - 04:25

Thank you for your reply JamesLuther .

I am thinking this way as well. Now, I am searching if I can change the source of ICMP. In telnet I can change the source by using this syntax "ip telnet source-interface INTERFACE_NAME" but for ICMP there is none. Any other solution for this?

JamesLuther Tue, 02/17/2009 - 04:46


I'm not sure that this is possible. Am I right in saying that this is needed as the router is doing voip as well as VPN?

I don't know exactly what you setup is or what you're trying to achieve but you might find configuring a IPSec/GRE tunnel will solve this issue. That way you can explicitly route all traffic for towards the Tunnel interface regardless of the source IP.

Google "ipsec gre tunnel" for some documents on how to configure this.

Let me know if this helps.


Rejohn Ronald Cuares Tue, 02/17/2009 - 04:59

You mean that i will do port forwarding under PIX and configure IPSec/GRE between LAN A Router & LAN B VG Router?


This Discussion