Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

can not ping PIX inside interface

Hi,

I have pix 6.1 firewall in the corporate office,

I have pix 3.1 client in the remote network,

I have setup the VPN access,

I am able to connect to the pix from the remote network and be able to ping outside ip address of the PIX,

I am not able to ping the inside IP address of the PIX.

here is the configuration

isakmp enable outside

sysopt connection permit-ipsec

isakmp policy 8 authentication pre-share

isakmp policy 8 encr des

isakmp policy 8 hash md5

isakmp policy 8 group 2

isakmp key "password this you know" address 0.0.0.0 netmask 0.0.0.0

ip local pool amapool 10.10.11.1-10.10.11.254

access-list 101 permit ip 10.0.0.0 255.0.0.0 10.10.11.0 255.255.255.0

nat (inside) 0 access-list 101

crypto ipsec transform-set mytrans esp-des esp-sha-hmac

crypto dynamic-dynmap 10 set transform-set mytrans

crypto map remote 10 ispec-isakmp dynamic dynmap

vpngroup amaxbot address-pool amapool

vpngroup amaxbot password (this you know)

vpngroup amaxbot idle-time 1800

crypto map remote interface outside

any suggestions,

Thanks,

Raul

  • Other Security Subjects
2 REPLIES
New Member

Re: can not ping PIX inside interface

By default you cannot ping the opposite side of the pix.

Inside users can ping the inside interface but not the outside and vice versa.

Although you are coming through a vpn, it is still from outside and same rules apply.

Also

As you are using the unified client, the wildcard isakmp key line is not required. The client connects using the group name amaxabot and the password specified in the vpngroup statement.

New Member

Re: can not ping PIX inside interface

Hi,

In addition to not being able to ping inside interface IP address, I was not able ping any machine which has an IP address in the inside address range of PIX.

In other words I was not able to ping any machine in their LAN.

Now I think I have solved it, I have added the manual route to the inside interface in my client, with metric 2.

Now I am able to ping machines which are inside the pix interface range.

Thanks,

Raul

131
Views
0
Helpful
2
Replies