Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

ping through tunnel?

I have a question about the basic functioning of the ipsec tunnel in a site-to-site ipsec vpn connection.

I need to be able to ping the external/outside interface of a Cisco 1711 router at a branch office. When I set up the 1711 just as a wide-open box (no security, no firewall, no vpn, no ipsec), then I can successfully ping the external ip address 2.2.2.2. When I implement site-to-site ipsec with pre-shared key, I am no longer able to ping the external ip address (2.2.2.2) of the 1711. In one instance, I CAN ping the outside interface, in the other instance, with security and vpn enabled, I can NOT ping the outside interface. Nothing else has changed other than the 1711 config.

What needs to change in the following config (taken from a 1711 at a branch office with a DSL connection to the internet tunneling to our headquarters office where the ipsec tunnel is terminated at a PIX 515E whose ip address is 1.1.1.1) in order to be able to successfully ping the outside interface's ip address (2.2.2.2) but while also retaining the ipsec tunnel?

Using 4631 out of 29688 bytes

!

version 12.2

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname branch_office_1711

!

logging queue-limit 100

logging buffered 51200 warnings

enable secret xxxxxxxx

!

username xxxxxx password xxxxx

ip subnet-zero

!

!

no ip domain lookup

ip domain name mycompany.com

!

!

ip cef

ip inspect name DEFAULT100 cuseeme

ip inspect name DEFAULT100 ftp

ip inspect name DEFAULT100 h323

ip inspect name DEFAULT100 netshow

ip inspect name DEFAULT100 rcmd

ip inspect name DEFAULT100 realaudio

ip inspect name DEFAULT100 rtsp

ip inspect name DEFAULT100 smtp

ip inspect name DEFAULT100 sqlnet

ip inspect name DEFAULT100 streamworks

ip inspect name DEFAULT100 tftp

ip inspect name DEFAULT100 tcp

ip inspect name DEFAULT100 udp

ip inspect name DEFAULT100 vdolive

ip inspect name DEFAULT100 icmp

ip audit notify log

ip audit po max-events 100

no ftp-server write-enable

!

!

!

!

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key 0 vpnsharedkeyvalue address 1.1.1.1

!

!

crypto ipsec transform-set SDM_TRANSFORMSET_1 esp-3des esp-sha-hmac

!

crypto map SDM_CMAP_1 1 ipsec-isakmp

description Tunnel to 1.1.1.1

set peer 1.1.1.1

set transform-set SDM_TRANSFORMSET_1

match address 102

!

!

!

!

interface FastEthernet0

description OUTSIDE_INTERFACE

ip address x.x.x.x 255.255.255.0

ip access-group 101 in

ip access-group all_outbound out

ip verify unicast reverse-path

ip nat outside

ip inspect DEFAULT100 out

duplex auto

speed auto

no cdp enable

crypto map SDM_CMAP_1

!

interface FastEthernet1

no ip address

no cdp enable

!

interface FastEthernet2

no ip address

no cdp enable

!

interface FastEthernet3

no ip address

no cdp enable

spanning-tree portfast

!

interface FastEthernet4

no ip address

no cdp enable

!

interface Async1

no ip address

!

interface Vlan1

description INSIDE_INTERFACE

ip address 192.168.2.1 255.255.255.0

ip access-group 100 in

ip access-group all_outbound out

ip nat inside

!

ip default-gateway 2.2.2.1

ip nat pool branch_local 192.168.2.1 192.168.2.255 netmask 255.255.255.0

ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0 overload

ip classless

ip route 0.0.0.0 0.0.0.0 2.2.2.1 permanent

ip http server

ip http authentication local

ip http secure-server

!

!

!

ip access-list standard branch_out

remark branch_out

remark SDM_ACL Category=2

remark branch_nat_outside

permit 192.168.2.0 0.0.0.255

!

ip access-list extended all_inbound

remark all_inbound

permit ip any any log

ip access-list extended all_outbound

remark all_outbound

permit ip any any log

access-list 100 deny ip 192.168.2.0 0.0.0.255 any

access-list 100 deny ip host 255.255.255.255 any

access-list 100 deny ip x.x.x.x 0.255.255.255 any

access-list 100 permit ip any any

access-list 101 remark auto generated by SDM firewall configuration

access-list 101 remark SDM_ACL Category=1

access-list 101 remark IPSec Rule

access-list 101 permit ip 1.1.1.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 101 permit udp host 1.1.1.1 host 2.2.2.2 eq non500-isakmp

access-list 101 permit udp host 1.1.1.1 host 2.2.2.2 eq isakmp

access-list 101 permit esp host 1.1.1.1 host 2.2.2.2

access-list 101 permit ahp host 1.1.1.1 host 2.2.2.2

access-list 101 deny ip 192.168.2.0 0.0.0.255 any

access-list 101 deny ip 10.0.0.0 0.255.255.255 any

access-list 101 deny ip 127.0.0.0 0.255.255.255 any

access-list 101 deny ip host 255.255.255.255 any

access-list 101 deny ip host 0.0.0.0 any

access-list 101 deny ip any any

access-list 102 remark SDM_ACL Category=4

access-list 102 remark IPSec Rule

access-list 102 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 103 remark SDM_ACL Category=2

access-list 103 remark IPSec Rule

access-list 103 deny ip 192.168.2.0 0.0.0.255 192.168.1.0.0 0.0.0.255

access-list 103 remark branch_nat_outside

access-list 103 permit ip 192.168.2.0 0.0.0.255 any

no cdp run

!

route-map SDM_RMAP_1 permit 1

match ip address 103

!

!

line con 0

line 1

flush-at-activation

stopbits 1

speed 115200

flowcontrol hardware

line aux 0

line vty 0 4

privilege level 15

login local

transport input telnet ssh

line vty 5 15

privilege level 15

login local

transport input telnet ssh

!

!

end

-----------

Thanks.

1 REPLY
New Member

Re: ping through tunnel?

Here's the config from the PIX at the other end (at HQ):

PIX Version 6.3(3)

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto shutdown

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 intf2 security10

enable password xxxxxxxxx

passwd xxxxxxx

hostname FL-PIX515E

domain-name mycompany.com

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list 103 permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.0.0

access-list vpnmain_splitTunnelAcl permit ip 192.168.1.0 255.255.255.0 any

access-list inside_cryptomap_dyn_20 permit ip any 192.168.1.224 255.255.255.248

access-list acl_inside deny tcp any any eq 135

access-list acl_inside deny udp any any eq 135

access-list acl_inside deny udp any any eq tftp

access-list acl_inside deny tcp any any eq 137

access-list acl_inside deny udp any any eq netbios-ns

access-list acl_inside deny tcp any any eq 138

access-list acl_inside deny udp any any eq netbios-dgm

access-list acl_inside deny tcp any any eq netbios-ssn

access-list acl_inside deny udp any any eq 139

access-list acl_inside deny tcp any any eq 445

access-list acl_inside deny tcp any any eq 593

access-list acl_inside deny tcp any any eq 4444

access-list acl_inside permit ip any any

access-list to_branch_via_vpn permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

pager lines 24

logging timestamp

logging trap debugging

logging history debugging

logging host inside 192.168.1.32

mtu outside 1500

mtu inside 1500

mtu intf2 1500

ip address outside 1.1.1.1 255.255.255.0

ip address inside 192.168.1.1 255.255.255.0

ip address intf2 127.0.0.1 255.255.255.255

ip audit info action alarm

ip audit attack action alarm

ip local pool itdept 192.168.1.225-192.168.1.230

arp timeout 14400

global (outside) 1 1.1.1.10

nat (inside) 0 access-list to_branch_via_vpn

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) 1.1.1.252 192.168.1.4 netmask 255.255.255.255 0 0

static (inside,outside) 1.1.1.253 192.168.1.5 netmask 255.255.255.255 0 0

static (inside,outside) 1.1.1.246 192.168.1.33 netmask 255.255.255.255 0 0

static (inside,outside) 87.65.43.120 192.168.1.13 netmask 255.255.255.255 0 0

static (inside,outside) 1.1.1.245 192.168.1.31 netmask 255.255.255.255 0 0

static (inside,outside) 1.1.1.250 192.168.1.14 netmask 255.255.255.255 0 0

static (inside,outside) 1.1.1.249 192.168.1.28 netmask 255.255.255.255 0 0

static (inside,outside) 87.65.43.119 192.168.1.17 netmask 255.255.255.255 0 0

static (inside,outside) 1.1.1.254 192.168.1.18 netmask 255.255.255.255 0 0

static (inside,outside) 87.65.43.121 192.168.1.15 netmask 255.255.255.255 0 0

static (inside,outside) 87.65.43.118 192.168.1.27 netmask 255.255.255.255 0 0

access-group acl_inside in interface inside

conduit permit tcp host 1.1.1.254 eq smtp any

conduit permit tcp host 1.1.1.252 eq smtp any

conduit permit tcp host 1.1.1.250 eq www any

conduit permit tcp host 1.1.1.254 eq domain any

conduit permit tcp host 1.1.1.253 eq smtp any

conduit permit udp host 1.1.1.254 eq domain any

conduit permit tcp host 1.1.1.245 eq www any

conduit permit tcp host 1.1.1.245 eq smtp any

conduit permit tcp host 1.1.1.251 eq citrix-ica any

conduit permit udp host 1.1.1.251 eq 1604 any

conduit permit tcp host 1.1.1.249 eq www any

conduit permit tcp host 87.65.43.119 eq smtp any

conduit permit udp host 87.65.43.119 eq domain any

conduit permit tcp host 87.65.43.118 eq smtp any

conduit permit tcp host 87.65.43.118 eq www any

conduit permit tcp host 87.65.43.117 eq www any

conduit permit tcp host 87.65.43.120 eq domain any

conduit permit tcp host 87.65.43.120 eq www any

conduit permit tcp host 1.1.1.249 eq ftp any

conduit permit tcp host 1.1.1.249 eq https any

conduit permit tcp host 1.1.1.246 eq www any

conduit permit tcp host 1.1.1.246 eq 491 any

conduit permit tcp host 1.1.1.246 eq https any

conduit permit tcp host 87.65.43.121 eq citrix-ica any

conduit permit udp host 87.65.43.121 eq 1604 any

conduit permit tcp host 87.65.43.120 eq ftp any

route outside 0.0.0.0 0.0.0.0 1.1.1.1 1

route inside 192.168.0.0 255.255.0.0 192.168.1.3 1

route outside 192.168.2.0 255.255.255.0 2.2.2.2 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

aaa-server vpnauth protocol radius

aaa-server vpnauth (inside) host 192.168.1.13 cisco timeout 5

http server enable

http 192.168.1.32 255.255.255.255 inside

http 192.168.1.82 255.255.255.255 inside

http 192.168.1.78 255.255.255.255 inside

http 192.168.1.31 255.255.255.255 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set myset esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 3600

crypto dynamic-map cisco 1 set transform-set myset

crypto dynamic-map cisco 1 set security-association lifetime seconds 28800 kilob

ytes 4608000

crypto dynamic-map cisco 4 set security-association lifetime seconds 28800 kilob

ytes 4608000

crypto dynamic-map dynmap 10 set security-association lifetime seconds 28800 kil

obytes 4608000

crypto dynamic-map inside_dyn_map 20 match address inside_cryptomap_dyn_20

crypto dynamic-map inside_dyn_map 20 set transform-set myset

crypto dynamic-map inside_dyn_map 20 set security-association lifetime seconds 2

8800 kilobytes 4608000

crypto map dyn-map 10 ipsec-isakmp

crypto map dyn-map 10 match address traffic_to_branch_via_vpn

crypto map dyn-map 10 set peer 2.2.2.2

crypto map dyn-map 10 set transform-set myset

crypto map dyn-map 10 set security-association lifetime seconds 28800 kilobytes

40800

crypto map dyn-map 20 ipsec-isakmp dynamic cisco

crypto map dyn-map client authentication vpnauth

crypto map dyn-map interface outside

crypto map inside_map 65535 ipsec-isakmp dynamic inside_dyn_map

crypto map inside_map client authentication vpnauth

crypto map inside_map interface inside

isakmp enable outside

isakmp key ******** address 2.2.2.2 netmask 255.255.255.255

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup vpntest address-pool itdept

vpngroup vpntest dns-server 192.168.1.5

vpngroup vpntest wins-server 192.168.1.5

vpngroup vpntest default-domain mycompany.com

vpngroup vpntest split-tunnel 103

vpngroup vpntest idle-time 1800

vpngroup vpntest password ********

vpngroup vpnmain address-pool itdept

vpngroup vpnmain dns-server 192.168.1.5

vpngroup vpnmain wins-server 192.168.1.5

vpngroup vpnmain default-domain mycompany.com

vpngroup vpnmain split-tunnel vpnmain_splitTunnelAcl

vpngroup vpnmain idle-time 1800

vpngroup vpnmain password ********

telnet 192.168.1.75 255.255.255.255 inside

telnet 192.168.1.78 255.255.255.255 inside

telnet 192.168.1.31 255.255.255.255 inside

telnet timeout 60

ssh timeout 5

console timeout 0

terminal width 80

Cryptochecksum:xxxxxxxx

: end

[OK]

FL-PIX515E#

ISADB: reaper checking SA 0x109adec, conn_id = 0

FL-PIX515E# sh crypto ipsec sa

interface: outside

Crypto map tag: dyn-map, local addr. 1.1.1.1

local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)

current_peer: 2.2.2.2:500

dynamic allocated peer ip: 0.0.0.0

PERMIT, flags={}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0

#pkts decaps: 99, #pkts decrypt: 99, #pkts verify 99

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: 1.1.1.1, remote crypto endpt.: 2.2.2.2

path mtu 1500, ipsec overhead 56, media mtu 1500

current outbound spi: c761f021

inbound esp sas:

spi: 0x48118d15(1209109781)

transform: esp-3des esp-sha-hmac ,

in use settings ={Tunnel, }

slot: 0, conn id: 4, crypto map: dyn-map

sa timing: remaining key lifetime (k/sec): (40788/3200)

IV size: 8 bytes

replay detection support: Y

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0xc761f021(3345084449)

transform: esp-3des esp-sha-hmac ,

in use settings ={Tunnel, }

slot: 0, conn id: 3, crypto map: dyn-map

sa timing: remaining key lifetime (k/sec): (40800/3200)

IV size: 8 bytes

replay detection support: Y

outbound ah sas:

outbound pcp sas:

interface: inside

Crypto map tag: inside_map, local addr. 192.168.1.1

FL-PIX515E#

It looks like the tunnel is established, but i can't ping anything on the 192.168.2.0 network from the 192.168.1.0 network. I also cannot ping the outside address of 2.2.2.2. So...is this tunnel working even if I can't ping anything on the other side of it?

Sam

134
Views
0
Helpful
1
Replies
CreatePlease to create content