PIX and ICMP through a VPN tunnel

Unanswered Question
Feb 6th, 2003
User Badges:
  • Silver, 250 points or more

I've configured a PIX 515E, code revision 6.2(2) with a VPN configuration

which permits Cisco VPN 3.x clients to terminate VPN sessions on a lower

security interface and gain access to resources on the inside (security

level 100) interface. The terminating interface is not the 'outside'

interface (security level 0), but is a lower security level than the

'inside' interface.

There is an access-list applied to both the 'inside' and 'extranet'

interfaces for non-VPN traffic. I've noticed that I can establish a VPN

tunnel successfully and pass traffic (e.g WWW, NT-based resources etc.),

but I am unable to ping resources on the 'inside' interface through the

VPN tunnel (though I can access them through tcp/udp). According to the

debugging logs, it is the ACL on the 'inside' interface which is blocking

ICMP (presumably echo-reply) and temporarily removing this ACL (it is

currently in a lab environment :) allows VPN users on the 'extranet'

network to ping resources on the 'inside' network. I have the "sysopt

connection permit-ipsec" command in the configuration, which I believed

bypassed ACL-checking for VPN traffic; though from my observations so far,

it may actually be more subtle than that. Is the ASA also bypassed for VPN traffic?

Does anything special need to be configured for ICMP through a VPN tunnel

terminating on a PIX when ACLs are applied? I am using NAT 0 access-list

to bypass NAT for traffic destined to the VPN clients from the 'inside'

network, and there is a net static between the 'extranet' and 'inside'

networks which effectively disables NAT between these interfaces for

non-VPN traffic.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
gfullage Thu, 02/06/2003 - 16:47
User Badges:
  • Cisco Employee,

"sysopt connection permit-ipsec" bypasses inbound ACL's for VPn traffic and allows them straight into your inside network. This command does NOT allow the return traffic through if it is being denied by an ACL on your inside network though, so you will need to let ICMP's in on your inside interface if you want to be able to ping those hosts through the VPN.

mmelbourne Fri, 02/07/2003 - 05:48
User Badges:
  • Silver, 250 points or more

Thanks for your reply. Why don't I need to let other (non-ICMP) traffic through the inbound ACL; why just ICMP? Is it the case that the PIX is still actually inspecting VPN traffic using its ASA algorithm (and letting the replies back), but because ICMP is not inspected by the PIX, these replies must be permitted explicitly?


This Discussion