- Silver, 250 points or more
I've configured a PIX 515E, code revision 6.2(2) with a VPN configuration
which permits Cisco VPN 3.x clients to terminate VPN sessions on a lower
security interface and gain access to resources on the inside (security
level 100) interface. The terminating interface is not the 'outside'
interface (security level 0), but is a lower security level than the
There is an access-list applied to both the 'inside' and 'extranet'
interfaces for non-VPN traffic. I've noticed that I can establish a VPN
tunnel successfully and pass traffic (e.g WWW, NT-based resources etc.),
but I am unable to ping resources on the 'inside' interface through the
VPN tunnel (though I can access them through tcp/udp). According to the
debugging logs, it is the ACL on the 'inside' interface which is blocking
ICMP (presumably echo-reply) and temporarily removing this ACL (it is
currently in a lab environment :) allows VPN users on the 'extranet'
network to ping resources on the 'inside' network. I have the "sysopt
connection permit-ipsec" command in the configuration, which I believed
bypassed ACL-checking for VPN traffic; though from my observations so far,
it may actually be more subtle than that. Is the ASA also bypassed for VPN traffic?
Does anything special need to be configured for ICMP through a VPN tunnel
terminating on a PIX when ACLs are applied? I am using NAT 0 access-list
to bypass NAT for traffic destined to the VPN clients from the 'inside'
network, and there is a net static between the 'extranet' and 'inside'
networks which effectively disables NAT between these interfaces for