×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

no reply from Trace route across PIX vpn tunnel

Unanswered Question
Jan 22nd, 2003
User Badges:

I have the following setup:


site a -> sessionWall--routera--vpn tunnel--routerb---PIX--->routerc--siteb


there is a VPN tunnel between the sessionWall firewall and the PIX firewall, traffic is encypted within the tunnel, after the firewalls, traffic is clear.


when i do a trace route from site A to site B, I cannot see any reply from the routers(e.g. routerc) after the 2 firewalls, which is in the clear, I can only see reply from the end node. why is it so?


Thanks much for the advise,

Paul


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
kagodfrey Wed, 01/22/2003 - 19:27
User Badges:

Hi

My best guess would be that the source address that routerc replies to icmp with. may not necessarily be the address it is configured with on the siteb LAN, and therefore may not be allowed through the VPN tunnel.

Can you ping all of routerc's interface addresses?


HTH


Kev

yeopaul Thu, 01/23/2003 - 19:14
User Badges:

Thank you Kev,


actually I can ping all the interfaces on routerc.


say if i am not worry about people mapping out my network. how do I actually allow trace route across my vpn tunnel, that is to allow all routers to reply, what is needed for trace route to work? I have actually enable ICMP type 11 on the PIX but it doesn't seems to work.


any advise appreciated.

Actions

This Discussion