Re: Ping Through PIX VPN

stepaneurope · ‎10-27-2005

jjjHi,

I have setted up a VPN tunnel that's look up. I would like to test it, But i can not ping internal interface of the pix. Is this possible or not, i have read on the forum that is not possible to ping internal interface from external... is that true?

What do i need to do for that ?

here is the crypto map:

Crypto MapPIX1: "outside_map" interfaces: { outside }

Crypto Map "outside_map" 20 ipsec-isakmp

Peer = 193.252.xxx.124

access-list outside_cryptomap_20; 1 elements

access-list outside_cryptomap_20 line 1 permit icmp UK-LAN 255.255.255.0 Paris-LAN 255.255.255.0 (hitcnt=0)

Current peer: 193.252.xxx.124

Security association lifetime: 4608000 kilobytes/28800 seconds

PFS (Y/N): N

Transform sets={ ESP-AES-128-SHA, }

Crypto Map PIX2: "outside_map" interfaces: { outside }

Crypto Map "outside_map" 20 ipsec-isakmp

Peer = 81.178.yyy.230

access-list outside_cryptomap_20; 1 elements

access-list outside_cryptomap_20 line 1 permit ip Paris-LAN 255.255.255.0 UK-LAN 255.255.255.0 (hitcnt=0)

Current peer: 81.178.yyy.230

Security association lifetime: 4608000 kilobytes/28800 seconds

PFS (Y/N): N

Transform sets={ ESP-AES-128-SHA, }

isakmp PIX1:

isakmp enable outside

isakmp key ******** address 193.252.24.124 netmask 255.255.255.255 no-xauth no-config-mode

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption aes

isakmp policy 20 hash sha

isakmp policy 20 group 5

isakmp policy 20 lifetime 86400

isakmp PIX2:

isakmp enable outside

isakmp key ******** address 81.178.19.230 netmask 255.255.255.255 no-xauth no-config-mode

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption aes

isakmp policy 20 hash sha

isakmp policy 20 group 5

isakmp policy 20 lifetime 86400

Don't see what's wrong i should be able to ping internal interface of thee pix's

thanks

Cedric

jmia · ‎10-27-2005

Cedric,

If you want to ping the internal interface of the pix via the VPN, you'll need to add (in config mode) :

management-access inside

This will give the ability to ping the inside interface of your pix.

Hope this helps.

Jay

Patrick Iseli · ‎10-27-2005

Use them "management-access" command to allow ping via the VPN Peer.

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_command_reference_chapter09186a00801727ab.html#wp1137951

management-access = Enables access to an internal management interface on the firewall.

[no] management-access mgmt_if

show management-access

Syntax Description

mgmt_if

The name of the firewall interface to be used as the internal management interface.

Defaults

None.

Command Modes

The management-access mgmt_if command is available in configuration mode.

The show management-access is available in privileged mode.

Usage Guidelines

The management-access mgmt_if command enables you to define an internal management interface using the IP address of the firewall interface specified in mgmt_if. (The firewall interface names are defined by the nameif command and displayed in quotes, " ", in the show interface output.)

In PIX Firewall software Version 6.3, this command is supported for the following through an IPSec VPN tunnel only, and only one management interface can be defined globally:

•SNMP polls to the mgmt_if

•HTTPS requests to the mgmt_if

•PDM access to the mgmt_if

•Telnet access to the mgmt_if

•SSH access to the mgmt_if

•Ping to the mgmt_if

The show management-access command displays the firewall management access configuration.

Examples

The following example shows how to configure a firewall interface named "inside" as the management access interface:

pixfirewall(config)# management-access inside

pixfirewall(config)# show management-access

management-access inside

sincerely

Patrick