cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
335
Views
0
Helpful
4
Replies

Site to Site VPN: PIX v6.3 and Router v12.4

Rejohn Cuares
Level 4
Level 4

Hi,

I setup a site-to-site VPN between a router and a PIX. The tunnel is up and I can access both sites when ping from users connected LAN (both sites). The issue is when I login to the router console, then from their I can't ping the other site but when i issue this command "PING 2.2.2.1 SOURCE 1.1.1.1" it is successful. By using this command "PING 2.2.2.1" it is not successful.

I need this for the VoIP configuration.

dial-peer voice 4001 voip

destination-pattern 1..

voice-class h323 1

session target ipv4:2.2.2.2

dtmf-relay h245-alphanumeric

codec g711ulaw

Voice gateway resides at LAN B.

Network Topology.

LAN-A<-->ROUTER<-- WAN --->PIX<--> LAN-B

LAN A network: 1.1.1.x/24

LAN B network: 2.2.2.x/24

Please rate replies and mark question as "answered" if applicable.
4 Replies 4

JamesLuther
Level 3
Level 3

Hello,

I'm going to guess why this without seeig the full config....

The difference between the two situations is that when you type "PING 2.2.2.1" the packet doesn't match the VPN ACL and therefore is sent out onto the internet in plain text with a source IP of your outside interface.

When you type "PING 2.2.2.1 SOURCE 1.1.1.1" the traffic will now match the VPN ACL and is encrypted and sent down the tunnel.

Thank you for your reply JamesLuther .

I am thinking this way as well. Now, I am searching if I can change the source of ICMP. In telnet I can change the source by using this syntax "ip telnet source-interface INTERFACE_NAME" but for ICMP there is none. Any other solution for this?

Please rate replies and mark question as "answered" if applicable.

Hello,

I'm not sure that this is possible. Am I right in saying that this is needed as the router is doing voip as well as VPN?

I don't know exactly what you setup is or what you're trying to achieve but you might find configuring a IPSec/GRE tunnel will solve this issue. That way you can explicitly route all traffic for 2.2.2.2 towards the Tunnel interface regardless of the source IP.

Google "ipsec gre tunnel site:cisco.com" for some documents on how to configure this.

Let me know if this helps.

Thanks

You mean that i will do port forwarding under PIX and configure IPSec/GRE between LAN A Router & LAN B VG Router?

Please rate replies and mark question as "answered" if applicable.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: