Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

Site to Site VPN: PIX v6.3 and Router v12.4

Hi,

I setup a site-to-site VPN between a router and a PIX. The tunnel is up and I can access both sites when ping from users connected LAN (both sites). The issue is when I login to the router console, then from their I can't ping the other site but when i issue this command "PING 2.2.2.1 SOURCE 1.1.1.1" it is successful. By using this command "PING 2.2.2.1" it is not successful.

I need this for the VoIP configuration.

dial-peer voice 4001 voip

destination-pattern 1..

voice-class h323 1

session target ipv4:2.2.2.2

dtmf-relay h245-alphanumeric

codec g711ulaw

Voice gateway resides at LAN B.

Network Topology.

LAN-A<-->ROUTER<-- WAN --->PIX<--> LAN-B

LAN A network: 1.1.1.x/24

LAN B network: 2.2.2.x/24

Please rate replies and mark question as "answered" if applicable.
  • VPN
4 REPLIES
Bronze

Re: Site to Site VPN: PIX v6.3 and Router v12.4

Hello,

I'm going to guess why this without seeig the full config....

The difference between the two situations is that when you type "PING 2.2.2.1" the packet doesn't match the VPN ACL and therefore is sent out onto the internet in plain text with a source IP of your outside interface.

When you type "PING 2.2.2.1 SOURCE 1.1.1.1" the traffic will now match the VPN ACL and is encrypted and sent down the tunnel.

Re: Site to Site VPN: PIX v6.3 and Router v12.4

Thank you for your reply JamesLuther .

I am thinking this way as well. Now, I am searching if I can change the source of ICMP. In telnet I can change the source by using this syntax "ip telnet source-interface INTERFACE_NAME" but for ICMP there is none. Any other solution for this?

Please rate replies and mark question as "answered" if applicable.
Bronze

Re: Site to Site VPN: PIX v6.3 and Router v12.4

Hello,

I'm not sure that this is possible. Am I right in saying that this is needed as the router is doing voip as well as VPN?

I don't know exactly what you setup is or what you're trying to achieve but you might find configuring a IPSec/GRE tunnel will solve this issue. That way you can explicitly route all traffic for 2.2.2.2 towards the Tunnel interface regardless of the source IP.

Google "ipsec gre tunnel site:cisco.com" for some documents on how to configure this.

Let me know if this helps.

Thanks

Re: Site to Site VPN: PIX v6.3 and Router v12.4

You mean that i will do port forwarding under PIX and configure IPSec/GRE between LAN A Router & LAN B VG Router?

Please rate replies and mark question as "answered" if applicable.
137
Views
0
Helpful
4
Replies
This widget could not be displayed.