Does permit ip include ICMP and TCP?

Unanswered Question
May 3rd, 2005
User Badges:

I have an access list that defines interesting traffic to initiate a VPN tunnel. However, when I ping the remote network the access list hitcount does not increase and the packet does not go through. Any advice? The actual access list is: access-list 204 permit ip 10.10.0.0 255.255.0.0 10.40.0.0 255.255.0.0


Thanks!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
ovieira Tue, 05/03/2005 - 08:08
User Badges:

Hi!

Can you be more specific about both VPN enabled gateways (ios, pix...). Can you post VPN/IPSec configuration from both sides?



The ACL you describe should enable you to ping network 10.40.0.0/16 from network 10.10.0.0/16.


Regards.

bjrusse123 Tue, 05/03/2005 - 10:36
User Badges:

Thanks for your response ovieira. I have a pix 515 connecting to a pix 505 through a site-to-site VPN. They are both running 6.3(3). I have a network application at the remote side (pix 505) which is able to connect to a server on our local side. However, other than that I cant get any other traffic to go through the VPN.



here is our local (pix 515) configuration


cisco-pix-col# sh cry map


Crypto Map: "xxx" interfaces: { outside }


Crypto Map "xxx" 1 ipsec-isakmp

Peer = remote pix outside port

access-list 204; 1 elements

access-list 204 line 1 permit ip 10.10.0.0 255.255.0.0 10.40.0.0 255.255

.0.0 (hitcnt=8128)

Current peer: remote pix outside port

Security association lifetime: 4608000 kilobytes/28800 seconds

PFS (Y/N): N

Transform sets={ yyy, }



here is our remote (pix 505) configuration


Crypto map "xxx" 1 ipsec-isakmp

Peer=remote pix outside port

access list 101

current peer: remote pix outside port

etc.


access list 101 is: permit ip 10.40.0.0 255.255.0.0 10.10.0.0 255.255.0.0


thanks for your help!

ovieira Wed, 05/04/2005 - 00:46
User Badges:

Hi!

Can you "ping" from the client to the server and activate the "debug icmp trace" on both PIXs. Paste the log output here.



Regards.

bjrusse123 Wed, 05/04/2005 - 05:17
User Badges:

I cant telnet into the remote PIX and it will be awhile before I can physically go over there. However, I think I found what might be the problem.

On our local PIX the subnet mask is wrong on the isakmp key address. Eg. isakmp key ****** address (outside remote pix) netmask (wrong net mask). Do you think this could explain my problems?

ovieira Wed, 05/04/2005 - 09:10
User Badges:

Hi! I don't think that explains the problem because if so you shouldn't be able to access the remote server as well.



Regards.

bjrusse123 Wed, 05/04/2005 - 10:13
User Badges:

Your right. That did not fix the problem. The incorrect subnet mask was actually 255.255.255.255 which is a valid wildcard.


I don't know if I explained the situation well enough though. There is no remote server. The network setup is as follows.




Local net---Pix515-----Router-----pub address/internet----Router--Pix501--Remote net.


There are not servers on the remote network. There is an application on computers on the remote network that are able to connect to a server on our local network. However, other than that connection there is no connectivity between the two networks. I cant ping remote computers and remote computers can't ping my workstation on the local network.


P.S. The crypto maps and isakmp key and address is correct on the remote pix


Thanks for your help and interest in this problem ovieira

ovieira Thu, 05/05/2005 - 00:32
User Badges:

You're welcome. Like i said before, those icmp debugs would really help.



Regards.

bjrusse123 Thu, 05/05/2005 - 05:39
User Badges:

I don't know what the debug icmp trace would tell you but I have pasted below the trace from my workstation to a node on the remote network. I cant get the remote icmp trace right now but I will post it when I get it.



4208: ICMP echo-request from inside:10.2.2.4 to 10.40.0.255 ID=512 seq=16429 length=40


this line just repeats several times

jackko Thu, 10/27/2005 - 17:39
User Badges:
  • Gold, 750 points or more

just a quick question.


wondering if the pc/server has software firewall installed.

AlexNepomiachy Tue, 11/01/2005 - 22:33
User Badges:

Inbound ICMP through the PIX is denied by default;

outbound ICMP is permitted, but the incoming reply is denied by default:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml


The decision:

PIX1

!--- crypto access-list

access-list inside_outbound_nat0_acl permit ip InsidePix1Net mask InsidePix2Net mask

nat (inside) 0 access-list inside_outbound_nat0_acl



!--- access-list with access-group command

access-list outside_icmp_en permit icmp any InsidePix2Net mask echo

access-group outside_icmp_en in interface outside


access-list inside_acl permit tcp InsidePix1Net mask any eq www

access-list inside_acl permit udp InsidePix1Net mask any eq domain

access-list inside_acl permit tcp InsidePix1Net mask any eq pop3

access-list inside_acl permit tcp InsidePix1Net mask any eq imap4

!--- PDM

access-list inside_acl permit tcp InsidePix1Net mask any eq https

........

!---

access-list inside_acl permit ip any InsidePix2Net mask

!---

access-group inside_acl in interface inside


PIX2 - mirror


Actions

This Discussion