Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Can't ping remote SR 520 router, Zone Based Security

Hi,

I have an SR 520 router located at my remote site with public IP xx.8.140.226, and private IP 192.168.3.1.

The central office is at public IP xx.60.101.154, and has a 10.1.1.0 scheme. I have a site to site VPN tunnel between the central and remote sites.

It seems to work fine, but I can't ping the remote site from the central site. In other words, I can't ping 192.168.3.1, the SR520's inside address, from the central site. The SR 520's public address (xx.8.140.226) also cannot be pinged from the internet.

From the remote site, I can ping to the central site fine. I must be using zone based security incorrectly in the attached remote site config? What do I need to do to make the remote site pingable, and preferably the clients behind the remote site SR520 pingable from the central site. Can someone help? It would be much appreciated.

3 REPLIES
Community Member

Re: Can't ping remote SR 520 router, Zone Based Security

I was able to resolve these pinging problems. I added a new inspect class map ("allow-ping-in") which matched protocol icmp. I added this class map to the policy affecting traffic from out-zone to self. I also added a policy for out-zone to in-zone and added the same class map to it. So now I can ping the outside interface from the internet, and I seem to be able to ping the clients in the remote site from the central site.

Still, I can't access a server or perform any functions on the clients in the remote site from HQ, only ping them. Do I need to allow tcp and udp access from the out-zone to the in-zone? Or maybe I need to specify that this traffic will come only from HQ, 10.1.1.0? Isn't there any way to specify using the fact that there is a VPN between the 2 sites?

I attached my latest config. Tell me if anyone has any suggestions for it.

Thanks!

Community Member

Re: Can't ping remote SR 520 router, Zone Based Security

Maybe instead of matching protocol icmp coming from out-zone to self, and from out-zone to in-zone, I should have matched default-inspection traffic instead?

Community Member

Re: Can't ping remote SR 520 router, Zone Based Security

Anyone have any idea if I apply "match default-inspection-traffic" to class map "allow-ping-in", will I be able to operate on clients behind this firewall, as in use VNC on them, access a database I have over there?

253
Views
0
Helpful
3
Replies
CreatePlease to create content