Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
306
Views
0
Helpful
2
Replies

PIX and ICMP through a VPN tunnel

mmelbourne
Level 5
Level 5

‎02-06-2003 04:24 AM - edited ‎02-21-2020 12:20 PM

I've configured a PIX 515E, code revision 6.2(2) with a VPN configuration

which permits Cisco VPN 3.x clients to terminate VPN sessions on a lower

security interface and gain access to resources on the inside (security

level 100) interface. The terminating interface is not the 'outside'

interface (security level 0), but is a lower security level than the

'inside' interface.

There is an access-list applied to both the 'inside' and 'extranet'

interfaces for non-VPN traffic. I've noticed that I can establish a VPN

tunnel successfully and pass traffic (e.g WWW, NT-based resources etc.),

but I am unable to ping resources on the 'inside' interface through the

VPN tunnel (though I can access them through tcp/udp). According to the

debugging logs, it is the ACL on the 'inside' interface which is blocking

ICMP (presumably echo-reply) and temporarily removing this ACL (it is

currently in a lab environment :) allows VPN users on the 'extranet'

network to ping resources on the 'inside' network. I have the "sysopt

connection permit-ipsec" command in the configuration, which I believed

bypassed ACL-checking for VPN traffic; though from my observations so far,

it may actually be more subtle than that. Is the ASA also bypassed for VPN traffic?

Does anything special need to be configured for ICMP through a VPN tunnel

terminating on a PIX when ACLs are applied? I am using NAT 0 access-list

to bypass NAT for traffic destined to the VPN clients from the 'inside'

network, and there is a net static between the 'extranet' and 'inside'

networks which effectively disables NAT between these interfaces for

non-VPN traffic.

Labels:
0 Helpful
2 Replies 2

gfullage
Cisco Employee
Cisco Employee

‎02-06-2003 04:47 PM

"sysopt connection permit-ipsec" bypasses inbound ACL's for VPn traffic and allows them straight into your inside network. This command does NOT allow the return traffic through if it is being denied by an ACL on your inside network though, so you will need to let ICMP's in on your inside interface if you want to be able to ping those hosts through the VPN.

0 Helpful

mmelbourne
Level 5
Level 5
In response to gfullage

‎02-07-2003 05:48 AM

Thanks for your reply. Why don't I need to let other (non-ICMP) traffic through the inbound ACL; why just ICMP? Is it the case that the PIX is still actually inspecting VPN traffic using its ASA algorithm (and letting the replies back), but because ICMP is not inspected by the PIX, these replies must be permitted explicitly?

0 Helpful
Customers Also Viewed These Support Documents