Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Denying ICMP requests causing problems with IPSEC VPN

Hi Amir,

I have successfully set up a IPSEC VPN with IKE between our PIX 515 and a netopia 9100 series router at our ISP's end.

I wish to disable interface pinging on the external interface of the PIX and I have used the following commands on the PIX:

Access-list acl_out deny icmp any any

Access-list acl_in deny icmp any any

ICMP deny 192.168.1.4 255.255.255.240 3 outside

This disables the interface to ICMP requests and places it in stealth mode

However I then get an issue with the IPSEC tunnel which I believe times out after a certain amount of time being idle. The Tunnel is unable to re estalish unless I remove the ICMP deny command from the PIX.

Can you please give me some pointers?

Apologies if this is a simple thing but I am new to Cisco commands and I am following the manual for this configuration.

Regards

Jamal

2 REPLIES
Cisco Employee

Re: Denying ICMP requests causing problems with IPSEC VPN

Hi Jamal,

Sorry for the delay in the response, I was out on training.

Anyhow this seems to be a specific issue which will need to be troubleshooted and specific debug information will be needed to see whats going on here. I think the fastest way to get solution on this would be to open a TAC case to have an Engineer troubleshoot this for you.

Regards,

Aamir

New Member

Re: Denying ICMP requests causing problems with IPSEC VPN

Hi Amir,

Thanks for the reply. I have manged to get traffic passing across the VPN I found that I had not added a route to my Windows 2000 client.

I have a new problem in that I am unable to initiate the connection from my end (PIX end) the ASP who's netopia router I am connecting to has to ping my internal address and the IPSEC tunnel becomes active with a status of QM_IDLE.

If I try to initiate the connection from the PIX end I get a tunnel status of MM_NO _STATE and the IPSEC tunnel does not negotiate a connection.

Your help is very much appreciated.

Jamal

89
Views
0
Helpful
2
Replies