Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

question...

I have a VPN between two pix's, a 515e, and a 501e...

the inside interface of the 515e has the IP of 192.168.50.1

the inside interface of the 501e has the IP of 192.168.51.1

from the 50.0 network I cannot ping the 51.1 address, and from the 51.0 network I cannot ping the 50.1 address. (much more telnet to either of them)

I can ping any other respective address on the 192.168.50.x or .51.x without a problem, but not the interfaces.

From inside each network I cannot ping the outside interface's IP address as well. (even when I have the access-lists wide open)

Enlightenment is welcomed as to the reason of this. :)

Thank you,

Dave

3 REPLIES
Cisco Employee

Re: question...

Hi Dave,

This is by design. In an IPSec tunnel between a Pix to Pix you cannot ping or telnet to the inside interface the Pix through the IPSec tunnel.

If you are not able to ping the outside ip address , then check to see if the private ip addresses are getting NATed to a Public IP Address and also the remote Pix ip address is allowing ICMP Traffic to go through.

If you want to go through the IPSec tunnel and then ping the outside ip address, make sure that you have added the outside ip address in your IPSec access-list.

Regards,

Arul

New Member

Re: question...

I see.

So with my 515e, my nat and global are as follows:

global (outside) 2 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 2 192.168.50.0 255.255.255.0 0 0

I also have tried adding :

icmp permit any outside

icmp permit any inside

and that didnt make a difference.

So for anyone in the 50.0 to ping through to the outside interface's IP, what do I need to add to allow that?

Also for someone from the 51.x network on the other side of the VPN to telnet to the outside interface of the PIX over here, I had added

telnet ConstOffice 255.255.255.255 outside (ConstOffice being the external IP of the remote side of the VPN)

telnet 192.168.51.0 255.255.255.0 outside

And that hasnt worked either. What do I need to do to allow each side of the network to telnet to the opposite PIX? Thanks

Dave

Cisco Employee

Re: question...

Hi Dave,

You can follow the sample config from my lab set up for allowing telnet access through the IPSec lan to lan tunnel.

In the below config, I am telnetting to the pix outside ip address (172.16.172.34) via the ipsec tunnel from a router on 192.168.2.0 subnet.

p520-1# wr t

Building configuration...

: Saved

:

PIX Version 6.2(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

hostname p520-1

domain-name cisco.com

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

access-list 120 permit ip 192.168.4.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list 120 permit ip host 172.16.172.34 192.168.2.0 255.255.255.0

access-list 140 permit ip 192.168.4.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list 140 permit ip host 172.16.172.34 192.168.2.0 255.255.255.0

pager lines 24

logging console debugging

logging buffered alerts

interface ethernet0 auto

interface ethernet1 auto

mtu outside 1500

mtu inside 1500

ip address outside 172.16.172.34 255.255.255.240

ip address inside 192.168.4.254 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

no failover

failover timeout 0:00:00

failover poll 15

failover ip address outside 0.0.0.0

failover ip address inside 0.0.0.0

pdm history enable

arp timeout 14400

nat (inside) 0 access-list 140

nat (inside) 0 0.0.0.0 0.0.0.0 0 0

route outside 0.0.0.0 0.0.0.0 172.16.172.33 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si

p 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set myset esp-3des esp-sha-hmac

crypto map vpn 10 ipsec-isakmp

crypto map vpn 10 match address 120

crypto map vpn 10 set peer 172.16.172.40

crypto map vpn 10 set transform-set myset

crypto map vpn interface outside

isakmp enable outside

isakmp key ******** address 172.16.172.40 netmask 255.255.255.255

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

telnet 192.168.2.0 255.255.255.0 outside

telnet timeout 5

ssh timeout 5

terminal width 80

Cryptochecksum:4f71d275172efa77bf714b64b8fbb749

: end

[OK]

p520-1#

p520-2# wr t

Building configuration...

: Saved

:

PIX Version 6.2(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 intf2 security10

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

hostname p520-2

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

access-list 120 permit ip 192.168.2.0 255.255.255.0 192.168.4.0 255.255.255.0

access-list 120 permit ip 192.168.2.0 255.255.255.0 host 172.16.172.34

access-list 140 permit ip 192.168.2.0 255.255.255.0 192.168.4.0 255.255.255.0

access-list 140 permit ip 192.168.2.0 255.255.255.0 host 172.16.172.34

pager lines 24

logging on

logging timestamp

logging console alerts

logging buffered debugging

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto shutdown

mtu outside 1500

mtu inside 1500

mtu intf2 1500

ip address outside 172.16.172.40 255.255.255.240

ip address inside 192.168.2.254 255.255.255.0

ip address intf2 127.0.0.1 255.255.255.255

ip audit info action alarm

ip audit attack action alarm

no failover

failover timeout 0:00:00

failover poll 15

failover ip address outside 0.0.0.0

failover ip address inside 0.0.0.0

failover ip address intf2 0.0.0.0

pdm history enable

arp timeout 14400

global (inside) 100 interface

nat (inside) 0 access-list 140

conduit permit ip any any

route outside 0.0.0.0 0.0.0.0 172.16.172.33 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si

p 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set pix esp-des esp-md5-hmac

crypto ipsec transform-set myset esp-3des esp-sha-hmac

crypto map vpn 10 ipsec-isakmp

crypto map vpn 10 match address 120

crypto map vpn 10 set peer 172.16.172.34

crypto map vpn 10 set transform-set myset

crypto map vpn interface outside

isakmp enable outside

isakmp key ******** address 172.16.172.34 netmask 255.255.255.255

isakmp keepalive 10 3

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

telnet timeout 5

ssh timeout 5

terminal width 80

Cryptochecksum:133bfb07f4254100c83fc383a3fe6555

: end

[OK]

p520-2#

2501-1#

2501-1#sh ip int brie

Interface IP-Address OK? Method Status Prot

ocol

Ethernet0 192.168.2.4 YES manual up up

Loopback0 11.11.11.11 YES manual up up

Loopback1 12.12.12.12 YES manual up up

Loopback50 25.25.25.25 YES manual up up

Loopback99 50.1.1.1 YES manual up up

Serial0 unassigned YES unset administratively down down

Serial1 unassigned YES unset administratively down down

2501-1#telnet 172.16.172.34

Trying 172.16.172.34 ... Open

User Access Verification

Password:

Type help or '?' for a list of available commands.

p520-1> en

Password:

p520-1#

p520-1#

p520-1#

p520-1#

p520-1#

Regards,

Arul

76
Views
0
Helpful
3
Replies
CreatePlease to create content