09-30-2005 02:00 PM - edited 02-21-2020 02:00 PM
I have the tunnels up and running and was wondering if all ports are open via the tunnel? How to allow icmp traffic via the tunnel? and other ports if needed?
Thanks!
Che B.
09-30-2005 04:12 PM
You can use the match address access-list to control what is encrypted through the ipsec tunnel.
Refer to step 5 in the link below for an example of the match address ACL:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/config/sit2site.htm#wp1009431
Hope that helps.
10-03-2005 09:10 AM
10-03-2005 04:15 PM
You just need to add: " management-access mgmt_if "
management-access
Enables access to an internal management interface on the firewall.
[no] management-access mgmt_if
show management-access
Syntax Description
mgmt_if
The name of the firewall interface to be used as the internal management interface.
Defaults
None.
Command Modes
The management-access mgmt_if command is available in configuration mode.
The show management-access is available in privileged mode.
Usage Guidelines
The management-access mgmt_if command enables you to define an internal management interface using the IP address of the firewall interface specified in mgmt_if. (The firewall interface names are defined by the nameif command and displayed in quotes, " ", in the show interface output.)
In PIX Firewall software Version 6.3, this command is supported for the following through an IPSec VPN tunnel only, and only one management interface can be defined globally:
SNMP polls to the mgmt_if
HTTPS requests to the mgmt_if
PDM access to the mgmt_if
Telnet access to the mgmt_if
SSH access to the mgmt_if
Ping to the mgmt_if
sincerely
Patrick
10-04-2005 01:06 AM
maybe the posted config of wholesalepro pix is not the latest, as there is no vpn setting at all.
under normal circumstances, when configuring lan-lan vpn, all protocol and port are allowed unless otherwise you put some restrictions.
10-04-2005 06:18 AM
thanks guys! i was able to get ping to work, but still unable to ping the firewalls itself, but any nodes behind the firewall. I'll try the command referred to me for being able to manage these devices through the ipsec tunnel. Thanks for your expert help!!
Che B.
10-04-2005 07:51 AM
1.) To Ping the interface via a VPN Tunnel use:
management-access inside
Then ping the inside IP address
2.) To ping from an inside host or from the outside interface:
a.) Ping is not a stateful protocol.
b.) To allow pings from the inside to the outside interface you need to create an access-list.
c.) If you want to ping the same interface that you are physicly connected you need to configure the "icmp" command.
example:
See: Handling ICMP Pings with the PIX Firewall
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml
The PIX and the traceroute Command
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00800e9312.shtml
examples:
Traveroute
Microsoft:
access-group 101 in interface outside
access-list 101 permit icmp any host YourPublicIP unreachable
access-list 101 permit icmp any host YourPublicIP time-exceeded
access-list 101 permit icmp any host YourPublicIP echo-reply
UNIX:
access-group 101 in interface outside
access-list 101 permit icmp any host YourPublicIP unreachable
access-list 101 permit icmp any host YourPublicIP time-exceeded
ICMP command example
icmp deny any outside
icmp permit any echo-reply outside
icmp permit any echo-reply inside
icmp permit host 192.168.1.30 echo inside
icmp permit host 192.168.1.31 echo inside
icmp permit host 192.168.1.20 echo inside
icmp permit host 192.168.1.40 echo inside
icmp permit host 192.168.1.100 echo inside
sincerely
Patrick
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: