cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
542
Views
0
Helpful
3
Replies

Can't ping remote SR 520 router, Zone Based Security

itccv0822
Level 1
Level 1

Hi,

I have an SR 520 router located at my remote site with public IP xx.8.140.226, and private IP 192.168.3.1.

The central office is at public IP xx.60.101.154, and has a 10.1.1.0 scheme. I have a site to site VPN tunnel between the central and remote sites.

It seems to work fine, but I can't ping the remote site from the central site. In other words, I can't ping 192.168.3.1, the SR520's inside address, from the central site. The SR 520's public address (xx.8.140.226) also cannot be pinged from the internet.

From the remote site, I can ping to the central site fine. I must be using zone based security incorrectly in the attached remote site config? What do I need to do to make the remote site pingable, and preferably the clients behind the remote site SR520 pingable from the central site. Can someone help? It would be much appreciated.

3 Replies 3

itccv0822
Level 1
Level 1

I was able to resolve these pinging problems. I added a new inspect class map ("allow-ping-in") which matched protocol icmp. I added this class map to the policy affecting traffic from out-zone to self. I also added a policy for out-zone to in-zone and added the same class map to it. So now I can ping the outside interface from the internet, and I seem to be able to ping the clients in the remote site from the central site.

Still, I can't access a server or perform any functions on the clients in the remote site from HQ, only ping them. Do I need to allow tcp and udp access from the out-zone to the in-zone? Or maybe I need to specify that this traffic will come only from HQ, 10.1.1.0? Isn't there any way to specify using the fact that there is a VPN between the 2 sites?

I attached my latest config. Tell me if anyone has any suggestions for it.

Thanks!

Maybe instead of matching protocol icmp coming from out-zone to self, and from out-zone to in-zone, I should have matched default-inspection traffic instead?

Anyone have any idea if I apply "match default-inspection-traffic" to class map "allow-ping-in", will I be able to operate on clients behind this firewall, as in use VNC on them, access a database I have over there?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: