Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Can't ping thru remote VPN

Hi All,

I have a client that is using a 506e with the 4.02 Cisco cleint for remote VPN. The pix has multiple inside routes. The first network on the inside is 192.168.1.X and the 506's E1 is 192.168.1.1. The second network is 10.71.56.X.

The problem is once the VPN is connected I can ping any host on the 192.168.1.X but not anything on the 10.71.56.X network. No netbios either. From the PIX I can ping hosts on both internal networks.

Here is the config below. Thanks!

PIX Version 6.2(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxxxx

passwd xxxxxxx

hostname GNB-PIX

domain-name cisco.com

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

object-group service QUBEADMIN tcp

port-object range 444 444

access-list outside_access_in permit tcp any host 12.X.X.X eq pop3

access-list outside_access_in permit tcp any host 12.X.X.X eq smtp

access-list outside_access_in permit tcp any host 12.X.X.X eq domain

access-list outside_access_in permit tcp any host 12.X.X.X eq www

access-list outside_access_in permit tcp any host 12.X.X.X object-group QUBEADMIN

access-list outside_access_in permit icmp any any echo-reply

access-list outside_access_in permit icmp any any time-exceeded

access-list outside_access_in permit tcp any host 12.169.2.21 eq ssh

access-list GNB_splitTunnelAcl permit ip 10.71.56.0 255.255.255.0 any

access-list outside_cryptomap_dyn_20 permit ip any 10.71.56.32 255.255.255.224

pager lines 24

logging on

logging timestamp

logging standby

logging buffered notifications

logging trap errors

logging history notifications

logging queue 0

logging host inside 10.71.55.10

logging host outside 192.104.109.91

interface ethernet0 auto

interface ethernet1 auto

icmp permit any inside

mtu outside 1500

mtu inside 1500

ip address outside 12.X.X.X 255.255.254.0

ip address inside 192.168.1.254 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool VPNPOOL 10.71.56.40-10.71.56.50

pdm history enable

arp timeout 14400

global (outside) 10 interface

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 10 0.0.0.0 0.0.0.0 0 0

static (inside,outside) 12.X.X.X 192.168.1.1 netmask 255.255.255.255 0 0

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 12.X.X.X 1

route inside 10.71.55.0 255.255.255.0 192.168.1.1 1

route inside 10.71.56.0 255.255.255.0 192.168.1.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

aaa authentication ssh console LOCAL

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set myset esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

isakmp enable outside

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption 3des

isakmp policy 20 hash sha

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

vpngroup GNB address-pool VPNPOOL

vpngroup GNB dns-server 10.71.56.10 10.71.56.10

vpngroup GNB split-tunnel GNB_splitTunnelAcl

vpngroup GNB idle-time 1800

vpngroup GNB password ********

telnet timeout 5

ssh timeout 60

terminal width 80

Cryptochecksum:xxxxx

: end

[OK]

GNB-PIX#

1 ACCEPTED SOLUTION

Accepted Solutions
Silver

Re: Can't ping thru remote VPN

You are using 10.71.56.0 255.255.255.0 in two places

you route to it via 192.168.1.1, but you are also allocating addresses from it for vpn clients. Hosts that are on the 10.71.56.0/24 segment, if they manage to get the packet from the vpn connected client (that is assigned a 10.71.56.x) address, would send the reply packet to that request to the local subnet, not to the router that has the 192.168.1.1 interface, which is what would be necessary for it to work.

You need to use a different netblock for your vpn clients - you cannot use the same ip space across two different networks.

2 REPLIES
Silver

Re: Can't ping thru remote VPN

You are using 10.71.56.0 255.255.255.0 in two places

you route to it via 192.168.1.1, but you are also allocating addresses from it for vpn clients. Hosts that are on the 10.71.56.0/24 segment, if they manage to get the packet from the vpn connected client (that is assigned a 10.71.56.x) address, would send the reply packet to that request to the local subnet, not to the router that has the 192.168.1.1 interface, which is what would be necessary for it to work.

You need to use a different netblock for your vpn clients - you cannot use the same ip space across two different networks.

Community Member

Re: Can't ping thru remote VPN

The blinders were on! Thanks for finding that.

180
Views
0
Helpful
2
Replies
CreatePlease to create content