Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
332
Views
0
Helpful
2
Replies

no reply from Trace route across PIX vpn tunnel

yeopaul
Level 1
Level 1

‎01-22-2003 07:01 PM - edited ‎02-21-2020 12:18 PM

I have the following setup:

site a -> sessionWall--routera--vpn tunnel--routerb---PIX--->routerc--siteb

there is a VPN tunnel between the sessionWall firewall and the PIX firewall, traffic is encypted within the tunnel, after the firewalls, traffic is clear.

when i do a trace route from site A to site B, I cannot see any reply from the routers(e.g. routerc) after the 2 firewalls, which is in the clear, I can only see reply from the end node. why is it so?

Thanks much for the advise,

Paul

Labels:
0 Helpful
2 Replies 2

kagodfrey
Level 3
Level 3

‎01-22-2003 07:27 PM

Hi

My best guess would be that the source address that routerc replies to icmp with. may not necessarily be the address it is configured with on the siteb LAN, and therefore may not be allowed through the VPN tunnel.

Can you ping all of routerc's interface addresses?

HTH

Kev

0 Helpful

yeopaul
Level 1
Level 1
In response to kagodfrey

‎01-23-2003 07:14 PM

Thank you Kev,

actually I can ping all the interfaces on routerc.

say if i am not worry about people mapping out my network. how do I actually allow trace route across my vpn tunnel, that is to allow all routers to reply, what is needed for trace route to work? I have actually enable ICMP type 11 on the PIX but it doesn't seems to work.

any advise appreciated.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents