Does permit ip include ICMP and TCP?

Unanswered Question
May 3rd, 2005

I have an access list that defines interesting traffic to initiate a VPN tunnel. However, when I ping the remote network the access list hitcount does not increase and the packet does not go through. Any advice? The actual access list is: access-list 204 permit ip 10.10.0.0 255.255.0.0 10.40.0.0 255.255.0.0

Thanks!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
ovieira Tue, 05/03/2005 - 08:08

Hi!

Can you be more specific about both VPN enabled gateways (ios, pix...). Can you post VPN/IPSec configuration from both sides?

The ACL you describe should enable you to ping network 10.40.0.0/16 from network 10.10.0.0/16.

Regards.

bjrusse123 Tue, 05/03/2005 - 10:36

Thanks for your response ovieira. I have a pix 515 connecting to a pix 505 through a site-to-site VPN. They are both running 6.3(3). I have a network application at the remote side (pix 505) which is able to connect to a server on our local side. However, other than that I cant get any other traffic to go through the VPN.

here is our local (pix 515) configuration

cisco-pix-col# sh cry map

Crypto Map: "xxx" interfaces: { outside }

Crypto Map "xxx" 1 ipsec-isakmp

Peer = remote pix outside port

access-list 204; 1 elements

access-list 204 line 1 permit ip 10.10.0.0 255.255.0.0 10.40.0.0 255.255

.0.0 (hitcnt=8128)

Current peer: remote pix outside port

Security association lifetime: 4608000 kilobytes/28800 seconds

PFS (Y/N): N

Transform sets={ yyy, }

here is our remote (pix 505) configuration

Crypto map "xxx" 1 ipsec-isakmp

Peer=remote pix outside port

access list 101

current peer: remote pix outside port

etc.

access list 101 is: permit ip 10.40.0.0 255.255.0.0 10.10.0.0 255.255.0.0

thanks for your help!

ovieira Wed, 05/04/2005 - 00:46

Hi!

Can you "ping" from the client to the server and activate the "debug icmp trace" on both PIXs. Paste the log output here.

Regards.

bjrusse123 Wed, 05/04/2005 - 05:17

I cant telnet into the remote PIX and it will be awhile before I can physically go over there. However, I think I found what might be the problem.

On our local PIX the subnet mask is wrong on the isakmp key address. Eg. isakmp key ****** address (outside remote pix) netmask (wrong net mask). Do you think this could explain my problems?

ovieira Wed, 05/04/2005 - 09:10

Hi! I don't think that explains the problem because if so you shouldn't be able to access the remote server as well.

Regards.

bjrusse123 Wed, 05/04/2005 - 10:13

Your right. That did not fix the problem. The incorrect subnet mask was actually 255.255.255.255 which is a valid wildcard.

I don't know if I explained the situation well enough though. There is no remote server. The network setup is as follows.

Local net---Pix515-----Router-----pub address/internet----Router--Pix501--Remote net.

There are not servers on the remote network. There is an application on computers on the remote network that are able to connect to a server on our local network. However, other than that connection there is no connectivity between the two networks. I cant ping remote computers and remote computers can't ping my workstation on the local network.

P.S. The crypto maps and isakmp key and address is correct on the remote pix

Thanks for your help and interest in this problem ovieira

ovieira Thu, 05/05/2005 - 00:32

You're welcome. Like i said before, those icmp debugs would really help.

Regards.

bjrusse123 Thu, 05/05/2005 - 05:39

I don't know what the debug icmp trace would tell you but I have pasted below the trace from my workstation to a node on the remote network. I cant get the remote icmp trace right now but I will post it when I get it.

4208: ICMP echo-request from inside:10.2.2.4 to 10.40.0.255 ID=512 seq=16429 length=40

this line just repeats several times

jackko Thu, 10/27/2005 - 17:39

just a quick question.

wondering if the pc/server has software firewall installed.

AlexNepomiachy Tue, 11/01/2005 - 22:33

Inbound ICMP through the PIX is denied by default;

outbound ICMP is permitted, but the incoming reply is denied by default:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml

The decision:

PIX1

!--- crypto access-list

access-list inside_outbound_nat0_acl permit ip InsidePix1Net mask InsidePix2Net mask

nat (inside) 0 access-list inside_outbound_nat0_acl

!--- access-list with access-group command

access-list outside_icmp_en permit icmp any InsidePix2Net mask echo

access-group outside_icmp_en in interface outside

access-list inside_acl permit tcp InsidePix1Net mask any eq www

access-list inside_acl permit udp InsidePix1Net mask any eq domain

access-list inside_acl permit tcp InsidePix1Net mask any eq pop3

access-list inside_acl permit tcp InsidePix1Net mask any eq imap4

!--- PDM

access-list inside_acl permit tcp InsidePix1Net mask any eq https

........

!---

access-list inside_acl permit ip any InsidePix2Net mask

!---

access-group inside_acl in interface inside

PIX2 - mirror

Actions

Login or Register to take actions

This Discussion

Posted May 3, 2005 at 7:25 AM
Stats:
Replies:12 Avg. Rating:
Views:1531 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard