Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Can't ping VPN router

I have set up a site to site VPN on an 827 router to a Netscreen firewall. The VPN works fine, I can ping from one private network to the other. However, when telnetted into the 827 router, I cannot ping hosts at the other end of the VPN, also I cannot ping the 827 routers private IP address(ethernet 0) from behind the Netscreen. I CAN ping the routers public IP address (ATM0)

Any ideas ?

3 REPLIES
New Member

Re: Can't ping VPN router

Is all other traffic getting through?

Do your access-lists at either end define ICMP as interesting or allowed traffic?

New Member

Re: Can't ping VPN router

If you mean through the VPN, then yes. e.g. from a PC behind the 827, I can connect to any PC behind the firewall, not just ping but telnet and all other traffic.

Here is the 827 config for you to look at.

Current configuration : 2772 bytes

!

version 12.1

no service single-slot-reload-enable

no service pad

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname kinrtr01

!

logging rate-limit console 10 except errors

enable secret 5 $1$8Kna$x/WbzzqIZLg3nEF6SWuxC.

!

username admin password 7 044F02020E2D

clock timezone GMT 0

mmi polling-interval 60

mmi auto-configure

no mmi pvc

mmi snmp-timeout 180

ip subnet-zero

no ip finger

ip name-server 158.43.240.4

ip name-server 158.43.240.3

!

ip inspect name myfw cuseeme timeout 3600

ip inspect name myfw ftp timeout 3600

ip inspect name myfw h323 timeout 3600

ip inspect name myfw http timeout 3600

ip inspect name myfw rcmd timeout 3600

ip inspect name myfw realaudio timeout 3600

ip inspect name myfw smtp timeout 3600

ip inspect name myfw sqlnet timeout 3600

ip inspect name myfw streamworks timeout 3600

ip inspect name myfw tcp timeout 3600

ip inspect name myfw udp timeout 3600

ip inspect name myfw vdolive timeout 3600

no ip dhcp-client network-discovery

!

!

crypto isakmp policy 1

authentication pre-share

group 2

lifetime 28800

crypto isakmp key un1tedh0use address 195.x.x.x 255.255.255.240

crypto ipsec transform-set to_swanley esp-des esp-sha-hmac

!

crypto map to_swanley 1 ipsec-isakmp

set peer 195.x.x.x

set transform-set to_swanley

match address 115

!

!

!

!

interface Ethernet0

ip address 10.130.0.1 255.255.0.0

ip access-group 101 in

ip inspect myfw in

no ip mroute-cache

hold-queue 32 in

!

interface ATM0

no ip address

no ip mroute-cache

no atm ilmi-keepalive

pvc 0/16 ilmi

pvc 0/38

encapsulation aal5mux ppp dialer

dialer pool-member 1

!

bundle-enable

dsl operating-mode auto

hold-queue 224 in

!

interface Dialer1

ip address 62.x.x.x 255.255.255.248

ip access-group 102 in

encapsulation ppp

dialer pool 1

dialer-group 1

ppp authentication chap pap callin

ppp chap hostname XXXXXXX

ppp chap password 7 00031A0A0B541F0715

ppp pap sent-username XXXXX password 7 00031F0A0B541F0715

crypto map to_swanley

!

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer1

ip http server

access-list 101 permit ip 10.130.0.0 0.0.255.255 any

access-list 101 permit ip 10.10.0.0 0.0.255.255 10.130.0.0 0.0.255.255

access-list 101 permit ip host 62.x.x.x any

access-list 102 permit ip 10.10.0.0 0.0.255.255 any

access-list 102 permit ip host 195.x.x.x any

access-list 115 permit ip 10.130.0.0 0.0.255.255 10.10.0.0 0.0.255.255

access-list 120 permit ip 10.130.0.0 0.0.255.255 any

dialer-list 1 protocol ip permit

snmp-server manager

!

line con 0

exec-timeout 120 0

login local

transport input none

stopbits 1

line vty 0 4

exec-timeout 0 0

login local

length 0

!

scheduler max-task-time 5000

end

New Member

Re: Can't ping VPN router

You cannot ping the hosts because when you use the standard ping, the source address is the address of the egress interface, so you do not get a hit on the access list as the access list is set up to filter packets from the LAN side for tunneling across the VPN. List 115 permits packets from 10.130.x.x to 10.10.x.x (implied deny all at the end)so a standard ping, which has a source address of 65.x.x.x, will be denied by the access list. Try using the extended ping, e.g.

ping and follow the prompts- when you are asked for the source address, specify an address on the LAN-that should work!

79
Views
0
Helpful
3
Replies
CreatePlease login to create content