Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Cannot ping my ezvpn hardware client (C831 12.3.7T)

On PIX fw as easy vpn server,I get :

106011: Deny inbound (No xlate) icmp src inside:<src host> dst inside:<dst router> (type 8, code 0)

C831 is a easy vpn hardware client in network-extension mode. Vpn works correcly.

Too, I can't ping PCs connected to C831 E0.

But I can ping C831 external address from Pix or reverse using

on pix, ping outside <C831 external address>

on C831, ping <pix outside public address>

2 REPLIES
Bronze

Re: Cannot ping my ezvpn hardware client (C831 12.3.7T)

On a PIX firewall, you will need to explicily permit ICMP traffic for pings to work. Configure it, and pings should work fine.

New Member

Re: Cannot ping my ezvpn hardware client (C831 12.3.7T)

I already have the following relevant Pix config:

access-list 5 permit any

nat (inside) 0 access-list 5

access-list 1 permit icmp any any echo-reply

access-list 1 permit icmp any any echo

access-group 1 in interface inside

access-list 3 permit icmp any any echo-reply

access-list 3 permit icmp any any echo

access-group 3 in interface outside

sysopt connection permit-ipsec

I also tried

"conduit permit icmp any any"

without success

If echo-request is issued by vpn remote client, it goes to the destination, but echo-reply is rejected by pix with

"106011: Deny inbound (No xlate) icmp src inside: dst inside: (type 0, code 0)

In order to telnet on my remote client router, I should take the source telnet address on the inside interface (inside the vpn remote subnet)

and I can telnet from remote vpn router. I did the same for NTP service.

But Telnet or NTP uses a TCP or UDP connection with a dynamic xlate.

For ICMP, it doesn't, so I must create a static xlate But now, how can you create an Xlate from inside to inside (since vpn is seen like inside due to sysopt permit-ipsec) ?

234
Views
0
Helpful
2
Replies
CreatePlease login to create content