Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Users might experience few discrepancies in Search results. We are working on this on our side. We apologize for the inconvenience it may have caused.

PIX and ICMP through a VPN tunnel

I've configured a PIX 515E, code revision 6.2(2) with a VPN configuration

which permits Cisco VPN 3.x clients to terminate VPN sessions on a lower

security interface and gain access to resources on the inside (security

level 100) interface. The terminating interface is not the 'outside'

interface (security level 0), but is a lower security level than the

'inside' interface.

There is an access-list applied to both the 'inside' and 'extranet'

interfaces for non-VPN traffic. I've noticed that I can establish a VPN

tunnel successfully and pass traffic (e.g WWW, NT-based resources etc.),

but I am unable to ping resources on the 'inside' interface through the

VPN tunnel (though I can access them through tcp/udp). According to the

debugging logs, it is the ACL on the 'inside' interface which is blocking

ICMP (presumably echo-reply) and temporarily removing this ACL (it is

currently in a lab environment :) allows VPN users on the 'extranet'

network to ping resources on the 'inside' network. I have the "sysopt

connection permit-ipsec" command in the configuration, which I believed

bypassed ACL-checking for VPN traffic; though from my observations so far,

it may actually be more subtle than that. Is the ASA also bypassed for VPN traffic?

Does anything special need to be configured for ICMP through a VPN tunnel

terminating on a PIX when ACLs are applied? I am using NAT 0 access-list

to bypass NAT for traffic destined to the VPN clients from the 'inside'

network, and there is a net static between the 'extranet' and 'inside'

networks which effectively disables NAT between these interfaces for

non-VPN traffic.

Cisco Employee

Re: PIX and ICMP through a VPN tunnel

"sysopt connection permit-ipsec" bypasses inbound ACL's for VPn traffic and allows them straight into your inside network. This command does NOT allow the return traffic through if it is being denied by an ACL on your inside network though, so you will need to let ICMP's in on your inside interface if you want to be able to ping those hosts through the VPN.


Re: PIX and ICMP through a VPN tunnel

Thanks for your reply. Why don't I need to let other (non-ICMP) traffic through the inbound ACL; why just ICMP? Is it the case that the PIX is still actually inspecting VPN traffic using its ASA algorithm (and letting the replies back), but because ICMP is not inspected by the PIX, these replies must be permitted explicitly?

CreatePlease to create content