Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
220
Views
0
Helpful
2
Replies

Denying ICMP requests causing problems with IPSEC VPN

j.khandia
Level 1
Level 1

‎08-29-2002 01:41 AM - edited ‎02-21-2020 12:01 PM

Hi Amir,

I have successfully set up a IPSEC VPN with IKE between our PIX 515 and a netopia 9100 series router at our ISP's end.

I wish to disable interface pinging on the external interface of the PIX and I have used the following commands on the PIX:

Access-list acl_out deny icmp any any

Access-list acl_in deny icmp any any

ICMP deny 192.168.1.4 255.255.255.240 3 outside

This disables the interface to ICMP requests and places it in stealth mode

However I then get an issue with the IPSEC tunnel which I believe times out after a certain amount of time being idle. The Tunnel is unable to re estalish unless I remove the ICMP deny command from the PIX.

Can you please give me some pointers?

Apologies if this is a simple thing but I am new to Cisco commands and I am following the manual for this configuration.

Regards

Jamal

Labels:
0 Helpful
2 Replies 2

awaheed
Cisco Employee
Cisco Employee

‎09-05-2002 12:46 AM

Hi Jamal,

Sorry for the delay in the response, I was out on training.

Anyhow this seems to be a specific issue which will need to be troubleshooted and specific debug information will be needed to see whats going on here. I think the fastest way to get solution on this would be to open a TAC case to have an Engineer troubleshoot this for you.

Regards,

Aamir

0 Helpful

j.khandia
Level 1
Level 1
In response to awaheed

‎09-09-2002 01:14 AM

Hi Amir,

Thanks for the reply. I have manged to get traffic passing across the VPN I found that I had not added a route to my Windows 2000 client.

I have a new problem in that I am unable to initiate the connection from my end (PIX end) the ASP who's netopia router I am connecting to has to ping my internal address and the IPSEC tunnel becomes active with a status of QM_IDLE.

If I try to initiate the connection from the PIX end I get a tunnel status of MM_NO _STATE and the IPSEC tunnel does not negotiate a connection.

Your help is very much appreciated.

Jamal

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents