Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
431
Views
0
Helpful
4
Replies

A little VPN trouble ( not able to ping to remote hosts)

bhatti.imran
Level 1
Level 1

‎10-26-2006 01:12 AM - edited ‎02-21-2020 02:41 PM

Dear all ,

I am in a trouble regarding the VPN

i am using cisco pix 501 on both sides

VPN tunnel has been established but i am not able to ping to remote inside hosts.

below is the command output of sh crypto ipsec

inbound esp sas:

spi: 0x918bdc56(2441862230)

transform: esp-des esp-md5-hmac ,

in use settings ={Tunnel, }

slot: 0, conn id: 1, crypto map: newmap

sa timing: remaining key lifetime (k/sec): (4608000/28375)

IV size: 8 bytes

replay detection support: Y

outbound esp sas:

spi: 0x69b6dd53(1773591891)

transform: esp-des esp-md5-hmac ,

in use settings ={Tunnel, }

slot: 0, conn id: 2, crypto map: newmap

sa timing: remaining key lifetime (k/sec): (4607999/28357)

IV size: 8 bytes

replay detection support: Y

sh crypto isakmp sa

Total : 1

Embryonic : 0

dst src state pending created

10.1.1.162 10.1.1.164 QM_IDLE 0 1

Attached below is also the config files for both firewalls.

Could any one please help me in resolving this issue.

Labels:
Preview file
38 KB
0 Helpful
4 Replies 4

martin_lx1980
Level 1
Level 1

‎10-26-2006 04:13 AM

I think you have the correct configuration.

According to config,you are able to ping from Branch inside pc to HO inside pc.But you are not able to ping from Branch inside pc to Branch outside interface ,HO outside interface and HO inside interface.

If you add command

conduit permit icmp any any

You are able to ping from Branch inside pc to HO outside interface.

0 Helpful

bhatti.imran
Level 1
Level 1
In response to martin_lx1980

‎10-26-2006 05:53 AM

Thanks for reply but i am not able to ping fom HO to branch office inside pcs and also not from branch office inside pcs to Ho inside office pcs.

i think conduit permit icmp any any will not effect as we allowed all the ipsec traffic using sysopt command.

now the question is if my config is correct then why i am not able to access the resources through ipsec tunnel??

please help me

0 Helpful

martin_lx1980
Level 1
Level 1
In response to bhatti.imran

‎10-26-2006 11:48 PM

I have done the similar experiment several times.I think you have correct configuration.Through the command

show crypto isakmp sa

show crypto ipsc sa

both result indicated ipsec tunnel are setup successfully.Try to

clear crypto isakmp sa

and retry to setup the tunnel.

If all things are still right,try to check your pc.

0 Helpful

ajagadee
Cisco Employee
Cisco Employee

‎10-27-2006 07:29 AM

Imran,

After configuring the VPN Tunnel, did you do "clear xlate" before trying to ping the hosts.

Also, what is the source and destination of your Ping Packets.

Also, what is the default gateway of the hosts that you are trying to ping. Do the IP Addressing that you are trying to access route to the pix for the tunnel destination traffic.

Let me know when you get a chance.

Regards,

Arul

** Please rate all helpful posts **

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents