01-04-2009 03:30 PM - edited 03-11-2019 07:32 AM
Hi,
I have an SR 520 router located at my remote site with public IP xx.8.140.226, and private IP 192.168.3.1.
The central office is at public IP xx.60.101.154, and has a 10.1.1.0 scheme. I have a site to site VPN tunnel between the central and remote sites.
It seems to work fine, but I can't ping the remote site from the central site. In other words, I can't ping 192.168.3.1, the SR520's inside address, from the central site. The SR 520's public address (xx.8.140.226) also cannot be pinged from the internet.
From the remote site, I can ping to the central site fine. I must be using zone based security incorrectly in the attached remote site config? What do I need to do to make the remote site pingable, and preferably the clients behind the remote site SR520 pingable from the central site. Can someone help? It would be much appreciated.
01-05-2009 07:42 AM
I was able to resolve these pinging problems. I added a new inspect class map ("allow-ping-in") which matched protocol icmp. I added this class map to the policy affecting traffic from out-zone to self. I also added a policy for out-zone to in-zone and added the same class map to it. So now I can ping the outside interface from the internet, and I seem to be able to ping the clients in the remote site from the central site.
Still, I can't access a server or perform any functions on the clients in the remote site from HQ, only ping them. Do I need to allow tcp and udp access from the out-zone to the in-zone? Or maybe I need to specify that this traffic will come only from HQ, 10.1.1.0? Isn't there any way to specify using the fact that there is a VPN between the 2 sites?
I attached my latest config. Tell me if anyone has any suggestions for it.
Thanks!
01-05-2009 08:05 AM
Maybe instead of matching protocol icmp coming from out-zone to self, and from out-zone to in-zone, I should have matched default-inspection traffic instead?
01-05-2009 01:54 PM
Anyone have any idea if I apply "match default-inspection-traffic" to class map "allow-ping-in", will I be able to operate on clients behind this firewall, as in use VNC on them, access a database I have over there?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: