Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
308
Views
0
Helpful
2
Replies

Cannot ping vpn client from 1721 cli on tunnel endpoint

Go to solution
jagoe
Level 1
Level 1

‎04-10-2004 02:51 AM - edited ‎02-21-2020 01:06 PM

I have a 1721 happily supporting ipsec vpn client connections. With one small exception, everything works perfectly well.

The VPN pool is 10.10.10.1 - 10.10.10.254

The internal interface f0 is assigned 192.168.1.254/24.

In my example:

VPN client ip address is 10.10.10.5

The host address of an abitrary machine on the internal lan is 192.168.1.151

I am able to ping 10.10.10.5 from 192.168.1.151

I am *not* able to ping 10.10.10.5 from 192.168.1.254 using the cli on the 1721.

There is a very good reason for wanting to resolve this issue. I'd like to be able to access a tftp server on the vpn client directly from the router in order to download new startup-config files. Is there any way to get vpn-client/tunnel-endpoint tftp traffic to go through the tunnel?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
gfullage
Cisco Employee
Cisco Employee

‎04-13-2004 06:39 PM

When you ping from the CLI on the router, the packet is going to be sourced from the outside interface, not the fa0 interface IP address. The VPN client and router have only built a tunnel from the 10.10.10.5 address to the 192.168.1.0 network, so the router will not encrypt a packet that is sourced from it's outside IP address.

Try doing an extended ping to 10.10.10.5 and source the packet from 192.168.1.254 and see if that works. If it does, then you'll also have to source your TFTP packets from the inside interface, which you can do with:

ip tftp source-interface fa0

View solution in original post

0 Helpful
2 Replies 2

Go to solution
gfullage
Cisco Employee
Cisco Employee

‎04-13-2004 06:39 PM

When you ping from the CLI on the router, the packet is going to be sourced from the outside interface, not the fa0 interface IP address. The VPN client and router have only built a tunnel from the 10.10.10.5 address to the 192.168.1.0 network, so the router will not encrypt a packet that is sourced from it's outside IP address.

Try doing an extended ping to 10.10.10.5 and source the packet from 192.168.1.254 and see if that works. If it does, then you'll also have to source your TFTP packets from the inside interface, which you can do with:

ip tftp source-interface fa0

0 Helpful

Go to solution
jagoe
Level 1
Level 1
In response to gfullage

‎04-16-2004 03:39 AM

Thank you very much. Great explanation, very understandable and right on the money!

0 Helpful
Customers Also Viewed These Support Documents