Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations TouchToneTommy on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Adding VPN killed Ping 1

Status
Not open for further replies.
maelx

maelx

MIS
Feb 25, 2004
8
I recently added a VPN config to my Pix and was able to ping from internal to external before it's addition. Now that I have a working VPN, I can no longer ping from behind the firewall. I can ping the internal intf. from inside and the external intf. from outside but that's as far as we go. Any ideas? Here is the config with bold text for the lines I added.

(config)# show runn
: Saved
:
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ security50

hostname name
domain-name name.com
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
names
name 10.x.y.45 server1
name 10.x.y.24 server2
name 10.x.y.46 server3
object-group service webservices tcp-udp
description Allow http and https connections
port-object eq 80
port-object eq 443
object-group network public_network
description Public exposed IP addresses
network-object host a.b.c.34
network-object host a.b.c.35
network-object host a.b.c.36
object-group icmp-type icmp_messages
description ICMP group type to include PING responses
icmp-object echo-reply
icmp-object unreachable
icmp-object source-quench
icmp-object time-exceeded
icmp-object echo
access-list acl_outside_inside permit icmp any object-group public_network object-group icmp_messages
access-list acl_outside_inside permit tcp any host a.b.c.35 object-group webservices
access-list acl_outside_inside permit tcp any host a.b.c.35 eq 3389
access-list acl_outside_inside permit tcp any host a.b.c.35 eq smtp
access-list acl_outside_inside permit tcp any host a.b.c.34 eq ssh
access-list acl_outside_inside permit tcp any host a.b.c.36 object-group webservices
access-list acl_outside_inside deny ip any any
access-list acl_inside_outside deny tcp any any eq 445
access-list acl_inside_outside permit ip any any
access-list no_NAT permit ip 10.x.y.0 255.255.240.0 192.168.1.0 255.255.255.0
pager lines 35
logging on
logging timestamp
logging console warnings
icmp permit any outside
icmp permit 10.x.y.0 255.255.240.0 inside
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
ip address outside a.b.c.34 255.255.255.240
ip address inside 10.x.y.33 255.255.240.0
no ip address DMZ
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip verify reverse-path interface DMZ
ip audit name ATTACKPOLICY attack action alarm reset
ip audit name INFOPOLICY info action alarm
ip audit interface outside ATTACKPOLICY
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnpool 192.168.0.10-192.168.0.20
ip local pool vpnpool1 192.168.1.1-192.168.1.20
pdm location a.b.c.35 255.255.255.255 outside
pdm location server2 255.255.255.255 inside
pdm location server1 255.255.255.255 inside
pdm location server3 255.255.255.255 inside
pdm location 10.x.y.111 255.255.255.255 inside
pdm history enable
arp timeout 14400
global (outside) 1 a.b.c.45
nat (inside) 0 access-list no_NAT
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp a.b.c.35 smtp server1 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp a.b.c.35 255.255.255.255 0 0
static (inside,outside) tcp a.b.c.35 https server3 https netmask 255.255.255.255 0 0
static (inside,outside) tcp a.b.c.35 3389 server3 3389 netmask 255.255.255.255 0 0
static (inside,outside) a.b.c.36 server2 netmask 255.255.255.255 0 0
access-group acl_outside_inside in interface outside
access-group acl_inside_outside in interface inside
route outside 0.0.0.0 0.0.0.0 a.b.c.33 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 10.x.y.111 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community ****
no snmp-server enable traps
tftp-server inside 10.x.y.111 pix
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set Xrmset1 esp-aes-256 esp-sha-hmac
crypto dynamic-map map2 10 set transform-set Xrmset1
crypto map map1 10 ipsec-isakmp dynamic map2
crypto map map1 interface outside
isakmp enable outside
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes-256
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup groupit address-pool vpnpool1
vpngroup groupit dns-server 10.x.y.32
vpngroup groupit wins-server 10.x.y.32
vpngroup groupit default-domain name.com
vpngroup groupit split-tunnel no_NAT
vpngroup groupit idle-time 1800
vpngroup groupit password ********
telnet 10.x.y.0 255.255.240.0 inside
telnet timeout 30
ssh 10.x.y.0 255.255.240.0 inside
ssh timeout 5
console timeout 0
terminal width 80

Cryptochecksum:56ae9d3d7b648f8d6c32d8d7d7aa6c9b
: end
 
Sort by date Sort by votes
did you by any chance enable the ids functions at the same time ? your config looks ok, but you have ids enabled on the outside which might jinx your icmp.

Jan

Network Systems Engineer
CCNA/CQS/CCSP
 
Upvote 0 Downvote
I had the IDS functions up before. That's why I am stumped. If the IDS is the problem, would it still allow external pings to the external interface? I will disable it and see if that helps but I would like their functionality back at some point.

Thanks,
Brent
 
Upvote 0 Downvote
Removing the IDS did not do the trick.
 
Upvote 0 Downvote
Your config only allows echo replies directed to these three addresses

network-object host a.b.c.34
network-object host a.b.c.35
network-object host a.b.c.36

Which only statically nat back to servers for smtp, www, https and 3389 traffic.

It looks like if you ping from the inside out, that traffic will nat out to the .45 address, eg

global (outside) 1 a.b.c.45

So you'd have to allow at least echo-reply to come to that .45 address for pings originating from the inside out to work.

If you've really not changed your object-group network public_network commands recently, then I can't see how this could ever have worked.

Anyway, add this;

object-group network public_network
network-object host a.b.c.45

and it should work.

You can probably ping out from server2 at the moment, because it's static rule maps all traffic to the .36 address.

Chico

CCNA, MCSE, Cisco Firewall specialist, VPN specialist, wannabe CCSP ;)
 
Upvote 0 Downvote
Chico,

Thanks! I added the .46 address to the network object group and it worked. I am still a little confused as to why it worked before without it in the object group. I will have to play with that to see why.

Thanks again!
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
852
intel233
intel233
ISDPCMAN
  • Locked
  • Question
RDP fails over VPN
Replies
1
Views
365
gkittelson
gkittelson
Shmid
  • Locked
  • Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
1K
Shmid
Shmid
Garbear
  • Locked
  • Question
TZ190 VPN Connection works but can't ping some IP's on either side
Replies
0
Views
242
Garbear
Garbear
WhosYourDiffie
  • Locked
  • Question
Cisco ASA 5506 VPN for Avaya Phones
Replies
0
Views
291
WhosYourDiffie
WhosYourDiffie

Part and Inventory Search

Sponsor

Back
Top