12-31-2002 11:59 AM - edited 03-09-2019 01:32 AM
I have a VPN between two pix's, a 515e, and a 501e...
the inside interface of the 515e has the IP of 192.168.50.1
the inside interface of the 501e has the IP of 192.168.51.1
from the 50.0 network I cannot ping the 51.1 address, and from the 51.0 network I cannot ping the 50.1 address. (much more telnet to either of them)
I can ping any other respective address on the 192.168.50.x or .51.x without a problem, but not the interfaces.
From inside each network I cannot ping the outside interface's IP address as well. (even when I have the access-lists wide open)
Enlightenment is welcomed as to the reason of this. :)
Thank you,
Dave
12-31-2002 12:21 PM
Hi Dave,
This is by design. In an IPSec tunnel between a Pix to Pix you cannot ping or telnet to the inside interface the Pix through the IPSec tunnel.
If you are not able to ping the outside ip address , then check to see if the private ip addresses are getting NATed to a Public IP Address and also the remote Pix ip address is allowing ICMP Traffic to go through.
If you want to go through the IPSec tunnel and then ping the outside ip address, make sure that you have added the outside ip address in your IPSec access-list.
Regards,
Arul
12-31-2002 12:31 PM
I see.
So with my 515e, my nat and global are as follows:
global (outside) 2 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 2 192.168.50.0 255.255.255.0 0 0
I also have tried adding :
icmp permit any outside
icmp permit any inside
and that didnt make a difference.
So for anyone in the 50.0 to ping through to the outside interface's IP, what do I need to add to allow that?
Also for someone from the 51.x network on the other side of the VPN to telnet to the outside interface of the PIX over here, I had added
telnet ConstOffice 255.255.255.255 outside (ConstOffice being the external IP of the remote side of the VPN)
telnet 192.168.51.0 255.255.255.0 outside
And that hasnt worked either. What do I need to do to allow each side of the network to telnet to the opposite PIX? Thanks
Dave
12-31-2002 01:58 PM
Hi Dave,
You can follow the sample config from my lab set up for allowing telnet access through the IPSec lan to lan tunnel.
In the below config, I am telnetting to the pix outside ip address (172.16.172.34) via the ipsec tunnel from a router on 192.168.2.0 subnet.
p520-1# wr t
Building configuration...
: Saved
:
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname p520-1
domain-name cisco.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list 120 permit ip 192.168.4.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list 120 permit ip host 172.16.172.34 192.168.2.0 255.255.255.0
access-list 140 permit ip 192.168.4.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list 140 permit ip host 172.16.172.34 192.168.2.0 255.255.255.0
pager lines 24
logging console debugging
logging buffered alerts
interface ethernet0 auto
interface ethernet1 auto
mtu outside 1500
mtu inside 1500
ip address outside 172.16.172.34 255.255.255.240
ip address inside 192.168.4.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
pdm history enable
arp timeout 14400
nat (inside) 0 access-list 140
nat (inside) 0 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 172.16.172.33 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto map vpn 10 ipsec-isakmp
crypto map vpn 10 match address 120
crypto map vpn 10 set peer 172.16.172.40
crypto map vpn 10 set transform-set myset
crypto map vpn interface outside
isakmp enable outside
isakmp key ******** address 172.16.172.40 netmask 255.255.255.255
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
telnet 192.168.2.0 255.255.255.0 outside
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:4f71d275172efa77bf714b64b8fbb749
: end
[OK]
p520-1#
p520-2# wr t
Building configuration...
: Saved
:
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security10
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname p520-2
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list 120 permit ip 192.168.2.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list 120 permit ip 192.168.2.0 255.255.255.0 host 172.16.172.34
access-list 140 permit ip 192.168.2.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list 140 permit ip 192.168.2.0 255.255.255.0 host 172.16.172.34
pager lines 24
logging on
logging timestamp
logging console alerts
logging buffered debugging
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside 172.16.172.40 255.255.255.240
ip address inside 192.168.2.254 255.255.255.0
ip address intf2 127.0.0.1 255.255.255.255
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
failover ip address intf2 0.0.0.0
pdm history enable
arp timeout 14400
global (inside) 100 interface
nat (inside) 0 access-list 140
conduit permit ip any any
route outside 0.0.0.0 0.0.0.0 172.16.172.33 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set pix esp-des esp-md5-hmac
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto map vpn 10 ipsec-isakmp
crypto map vpn 10 match address 120
crypto map vpn 10 set peer 172.16.172.34
crypto map vpn 10 set transform-set myset
crypto map vpn interface outside
isakmp enable outside
isakmp key ******** address 172.16.172.34 netmask 255.255.255.255
isakmp keepalive 10 3
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:133bfb07f4254100c83fc383a3fe6555
: end
[OK]
p520-2#
2501-1#
2501-1#sh ip int brie
Interface IP-Address OK? Method Status Prot
ocol
Ethernet0 192.168.2.4 YES manual up up
Loopback0 11.11.11.11 YES manual up up
Loopback1 12.12.12.12 YES manual up up
Loopback50 25.25.25.25 YES manual up up
Loopback99 50.1.1.1 YES manual up up
Serial0 unassigned YES unset administratively down down
Serial1 unassigned YES unset administratively down down
2501-1#telnet 172.16.172.34
Trying 172.16.172.34 ... Open
User Access Verification
Password:
Type help or '?' for a list of available commands.
p520-1> en
Password:
p520-1#
p520-1#
p520-1#
p520-1#
p520-1#
Regards,
Arul
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: