10-27-2005 02:43 AM - edited 02-21-2020 02:04 PM
jjjHi,
I have setted up a VPN tunnel that's look up. I would like to test it, But i can not ping internal interface of the pix. Is this possible or not, i have read on the forum that is not possible to ping internal interface from external... is that true?
What do i need to do for that ?
here is the crypto map:
Crypto MapPIX1: "outside_map" interfaces: { outside }
Crypto Map "outside_map" 20 ipsec-isakmp
Peer = 193.252.xxx.124
access-list outside_cryptomap_20; 1 elements
access-list outside_cryptomap_20 line 1 permit icmp UK-LAN 255.255.255.0 Paris-LAN 255.255.255.0 (hitcnt=0)
Current peer: 193.252.xxx.124
Security association lifetime: 4608000 kilobytes/28800 seconds
PFS (Y/N): N
Transform sets={ ESP-AES-128-SHA, }
Crypto Map PIX2: "outside_map" interfaces: { outside }
Crypto Map "outside_map" 20 ipsec-isakmp
Peer = 81.178.yyy.230
access-list outside_cryptomap_20; 1 elements
access-list outside_cryptomap_20 line 1 permit ip Paris-LAN 255.255.255.0 UK-LAN 255.255.255.0 (hitcnt=0)
Current peer: 81.178.yyy.230
Security association lifetime: 4608000 kilobytes/28800 seconds
PFS (Y/N): N
Transform sets={ ESP-AES-128-SHA, }
isakmp PIX1:
isakmp enable outside
isakmp key ******** address 193.252.24.124 netmask 255.255.255.255 no-xauth no-config-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption aes
isakmp policy 20 hash sha
isakmp policy 20 group 5
isakmp policy 20 lifetime 86400
isakmp PIX2:
isakmp enable outside
isakmp key ******** address 81.178.19.230 netmask 255.255.255.255 no-xauth no-config-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption aes
isakmp policy 20 hash sha
isakmp policy 20 group 5
isakmp policy 20 lifetime 86400
Don't see what's wrong i should be able to ping internal interface of thee pix's
thanks
Cedric
10-27-2005 03:46 AM
Cedric,
If you want to ping the internal interface of the pix via the VPN, you'll need to add (in config mode) :
management-access inside
This will give the ability to ping the inside interface of your pix.
Hope this helps.
Jay
10-27-2005 03:46 AM
Use them "management-access" command to allow ping via the VPN Peer.
management-access = Enables access to an internal management interface on the firewall.
[no] management-access mgmt_if
show management-access
Syntax Description
mgmt_if
The name of the firewall interface to be used as the internal management interface.
Defaults
None.
Command Modes
The management-access mgmt_if command is available in configuration mode.
The show management-access is available in privileged mode.
Usage Guidelines
The management-access mgmt_if command enables you to define an internal management interface using the IP address of the firewall interface specified in mgmt_if. (The firewall interface names are defined by the nameif command and displayed in quotes, " ", in the show interface output.)
In PIX Firewall software Version 6.3, this command is supported for the following through an IPSec VPN tunnel only, and only one management interface can be defined globally:
SNMP polls to the mgmt_if
HTTPS requests to the mgmt_if
PDM access to the mgmt_if
Telnet access to the mgmt_if
SSH access to the mgmt_if
Ping to the mgmt_if
The show management-access command displays the firewall management access configuration.
Examples
The following example shows how to configure a firewall interface named "inside" as the management access interface:
pixfirewall(config)# management-access inside
pixfirewall(config)# show management-access
management-access inside
sincerely
Patrick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide