Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Allowing ping through pix to pix (501) vpn tunnel?

I have the tunnels up and running and was wondering if all ports are open via the tunnel? How to allow icmp traffic via the tunnel? and other ports if needed?

Thanks!

Che B.

6 REPLIES
New Member

Re: Allowing ping through pix to pix (501) vpn tunnel?

You can use the match address access-list to control what is encrypted through the ipsec tunnel.

Refer to step 5 in the link below for an example of the match address ACL:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/config/sit2site.htm#wp1009431

Hope that helps.

New Member

Re: Allowing ping through pix to pix (501) vpn tunnel?

thanks for the reply! I'm still very new with this, i tried those statements and it didn't work, maybe i did it incorrectly? I'll post my configs here for you. This is for both PIX firewalls. Also, how do I enable SSH for remote management?

I've attached both configs for my PIX.

Re: Allowing ping through pix to pix (501) vpn tunnel?

You just need to add: " management-access mgmt_if "

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_command_reference_chapter09186a00801727ab.html#wp1137951

management-access

Enables access to an internal management interface on the firewall.

[no] management-access mgmt_if

show management-access

Syntax Description

mgmt_if

The name of the firewall interface to be used as the internal management interface.

Defaults

None.

Command Modes

The management-access mgmt_if command is available in configuration mode.

The show management-access is available in privileged mode.

Usage Guidelines

The management-access mgmt_if command enables you to define an internal management interface using the IP address of the firewall interface specified in mgmt_if. (The firewall interface names are defined by the nameif command and displayed in quotes, " ", in the show interface output.)

In PIX Firewall software Version 6.3, this command is supported for the following through an IPSec VPN tunnel only, and only one management interface can be defined globally:

•SNMP polls to the mgmt_if

•HTTPS requests to the mgmt_if

•PDM access to the mgmt_if

•Telnet access to the mgmt_if

•SSH access to the mgmt_if

•Ping to the mgmt_if

sincerely

Patrick

Gold

Re: Allowing ping through pix to pix (501) vpn tunnel?

maybe the posted config of wholesalepro pix is not the latest, as there is no vpn setting at all.

under normal circumstances, when configuring lan-lan vpn, all protocol and port are allowed unless otherwise you put some restrictions.

New Member

Re: Allowing ping through pix to pix (501) vpn tunnel?

thanks guys! i was able to get ping to work, but still unable to ping the firewalls itself, but any nodes behind the firewall. I'll try the command referred to me for being able to manage these devices through the ipsec tunnel. Thanks for your expert help!!

Che B.

Re: Allowing ping through pix to pix (501) vpn tunnel?

1.) To Ping the interface via a VPN Tunnel use:

management-access inside

Then ping the inside IP address

2.) To ping from an inside host or from the outside interface:

a.) Ping is not a stateful protocol.

b.) To allow pings from the inside to the outside interface you need to create an access-list.

c.) If you want to ping the same interface that you are physicly connected you need to configure the "icmp" command.

example:

See: Handling ICMP Pings with the PIX Firewall

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml

The PIX and the traceroute Command

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00800e9312.shtml

examples:

Traveroute

Microsoft:

access-group 101 in interface outside

access-list 101 permit icmp any host YourPublicIP unreachable

access-list 101 permit icmp any host YourPublicIP time-exceeded

access-list 101 permit icmp any host YourPublicIP echo-reply

UNIX:

access-group 101 in interface outside

access-list 101 permit icmp any host YourPublicIP unreachable

access-list 101 permit icmp any host YourPublicIP time-exceeded

ICMP command example

icmp deny any outside

icmp permit any echo-reply outside

icmp permit any echo-reply inside

icmp permit host 192.168.1.30 echo inside

icmp permit host 192.168.1.31 echo inside

icmp permit host 192.168.1.20 echo inside

icmp permit host 192.168.1.40 echo inside

icmp permit host 192.168.1.100 echo inside

sincerely

Patrick

784
Views
0
Helpful
6
Replies