Cisco Support Community
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

VPN issues alongwith ICMP

Dear Sir,

I am facing the following problem with my Pix.

I have configured site to site VPN on the pix. Due the fact, that our customer does not route any private IPs, I am sending the VPN traffic through a natted IP (i.e. Also the remote IP, which I am accessing through VPN is also public IP (for ex: So the moment I am enabling internet on my PC the entire traffic for the server goes through internet in stead of VPN tunnel.

I configured VPN as follows.

access-list 80 permit tcp host eq https

access-list 90 permit tcp host host eq https

nat (inside) 2 access-list 80 0 0

global (outside) 2

I run internet on the PC as follows.

access-list NET1 permit ip host any

nat (inside) 10 access-list NET1 0 0

global (outside) 10

1) But the customer wants to run VPN as well as internet on the Local LAN PCs. For the time being I am not running internet on the PCs which are accessing VPN based application. So is there a solution to it?

2) I could ping the IP from the Pix. But when I tried to ping the IP from my PC, its not pinging. For the safer side I have enabled ?conduit permit icmp any any? on the pix. But still its not working. The remote peer has enabled ICMP from their end. So do u have any solution to this question as well.

Also I am attaching the pix config for your kind reference.

Thanks and regards,

Sairam Bharati


PIX Version 6.3(4)

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 dmz security50

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

no fixup protocol sip 5060

no fixup protocol sip udp 5060

fixup protocol skinny 2000

no fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69


access-list 90 permit tcp host host eq https

access-list NET1 permit ip host any

access-list NET1 permit ip host any

access-list NET1 permit ip host any

access-list 80 permit tcp host eq https

logging on

logging trap warnings

logging host inside

mtu outside 1500

mtu inside 1500

mtu dmz 1500

ip address outside

ip address inside

ip address dmz

ip audit info action alarm

ip audit attack action alarm

pdm logging informational 512

pdm history enable

arp timeout 14400

global (outside) 10 125.x.x.227

global (outside) 2 125.x.x.240

global (dmz) 1

nat (inside) 10 access-list NET1 0 0

nat (inside) 2 access-list 80 0 0

conduit permit icmp any any

route outside 0.0.x.x.20.37.225 1

sysopt connection permit-ipsec

crypto ipsec transform-set esp-3des-sha esp-3des esp-sha-hmac

crypto map earthlink 20 ipsec-isakmp

crypto map earthlink 20 match address 90

crypto map earthlink 20 set pfs group2

crypto map earthlink 20 set peer

crypto map earthlink 20 set transform-set esp-3des-sha

crypto map earthlink interface outside

isakmp enable outside

isakmp key ******** address netmask

isakmp policy 9 authentication pre-share

isakmp policy 9 encryption 3des

isakmp policy 9 hash sha

isakmp policy 9 group 2

isakmp policy 9 lifetime 28800


Re: VPN issues alongwith ICMP

The Firewall Stateful Inspection of ICMP feature addresses the limitation of qualifying Internet Control Management Protocol (ICMP) messages into either a malicious or benign category by allowing the Cisco IOS firewall to use stateful inspection to "trust" ICMP messages that are generated within a private network and to permit the associated ICMP replies. Thus, network administrators can debug network issues by using ICMP without concern that possible intruders may enter the network.


CreatePlease to create content