Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Cannot ping vpn client from 1721 cli on tunnel endpoint

I have a 1721 happily supporting ipsec vpn client connections. With one small exception, everything works perfectly well.

The VPN pool is 10.10.10.1 - 10.10.10.254

The internal interface f0 is assigned 192.168.1.254/24.

In my example:

VPN client ip address is 10.10.10.5

The host address of an abitrary machine on the internal lan is 192.168.1.151

I am able to ping 10.10.10.5 from 192.168.1.151

I am *not* able to ping 10.10.10.5 from 192.168.1.254 using the cli on the 1721.

There is a very good reason for wanting to resolve this issue. I'd like to be able to access a tftp server on the vpn client directly from the router in order to download new startup-config files. Is there any way to get vpn-client/tunnel-endpoint tftp traffic to go through the tunnel?

  • Other Security Subjects
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Cannot ping vpn client from 1721 cli on tunnel endpoint

When you ping from the CLI on the router, the packet is going to be sourced from the outside interface, not the fa0 interface IP address. The VPN client and router have only built a tunnel from the 10.10.10.5 address to the 192.168.1.0 network, so the router will not encrypt a packet that is sourced from it's outside IP address.

Try doing an extended ping to 10.10.10.5 and source the packet from 192.168.1.254 and see if that works. If it does, then you'll also have to source your TFTP packets from the inside interface, which you can do with:

ip tftp source-interface fa0

2 REPLIES
Cisco Employee

Re: Cannot ping vpn client from 1721 cli on tunnel endpoint

When you ping from the CLI on the router, the packet is going to be sourced from the outside interface, not the fa0 interface IP address. The VPN client and router have only built a tunnel from the 10.10.10.5 address to the 192.168.1.0 network, so the router will not encrypt a packet that is sourced from it's outside IP address.

Try doing an extended ping to 10.10.10.5 and source the packet from 192.168.1.254 and see if that works. If it does, then you'll also have to source your TFTP packets from the inside interface, which you can do with:

ip tftp source-interface fa0

New Member

Re: Cannot ping vpn client from 1721 cli on tunnel endpoint

Thank you very much. Great explanation, very understandable and right on the money!

98
Views
0
Helpful
2
Replies
This widget could not be displayed.