Problem pinging remote host using vpn client

[brunopt]

Hello everyone.

I´m having a big problem, but first i will try to explain a brief story about the problem.
Ok i´ve tried to establish a vpn tunnel using cisco vpn client to connect to a remote network.


Client --Router ---Internet --- PIX --- DMZServer

I´ve succesfull connect to the pix, using the vpn client, but i cannot ping the dmzserver.

My point is when i connect using a DIalup account from my ISP to connect to internet and then make the tunnel using the vpn client i can ping the dmzserver.
When i´m in the lan and connect to the pix using th vpn client i can´t ping the dmzserver.

Can anyone know how can i resolve this problem?

Thanks to all

 

[bell1996]

The problem could be in the router. The router is obviously doing some sort of PATing. Secondly, is the router configured to allow IPSec traffic thru? What type of router is it?

 

[chicocouk]

If you're running PIX o/s 6.3(1) or above, add

isakmp nat-traversal

to your config, and your phase 2 ESP traffic will be tunnelled under UDP port 4500, and so nat through your router properly.

Alternatively the problem could be that the local ip address you're assigned to the vpn client when you connect is on the same range as the local address you use behind the router. For this reason it's often a good idea to not use the 192.168.1/24 range for the vpn client pool, as lots of SOHO routers which a single user will typically use at home default to this range.

CCNA, MCSE, Cisco Firewall specialist, VPN specialist, wannabe CCSP

 

[brunopt]

Hello bell1996 and chicocouk thanks for answering my thread, but unfortunnaly my problem still´s happening, i cant apply anything to the firewall because i can administering it but have done 1 thing that make me check that the problem is on my side, in my router.
I have disabled the accesslist refere to my dialer1 that comes out to the internet and it works beautiful with no problem, once i put the access list again i won´t work. I will live here the access list to see if you guys can sort this out.

access-list 111 permit tcp any any established
access-list 111 permit udp any any
access-list 111 permit udp any eq domain any eq domain
access-list 111 permit udp any eq domain any gt 1024
access-list 111 permit tcp any any eq www
access-list 111 permit tcp any eq

http://www any

access-list 111 permit tcp any any eq smtp
access-list 111 permit tcp any any eq pop3
access-list 111 permit tcp any any eq ftp
access-list 111 permit icmp any any echo
access-list 111 permit icmp any any echo-reply
access-list 111 permit tcp any eq domain any eq domain
access-list 111 permit tcp any eq domain any gt 1024
access-list 111 permit tcp any gt 1024 any eq domain
access-list 111 permit udp any gt 1024 any eq domain
access-list 111 permit tcp any any eq 443
access-list 111 permit tcp any eq 443 any
access-list 111 permit tcp any any eq ftp-data
access-list 111 permit gre any any
access-list 111 permit ip host xxx.xxx.xxx.xxx any
access-list 111 permit ip host xxx.xxx.xxx.xxx any
access-list 111 permit ip host xxx.xxx.xxx.xxx any
access-list 111 permit ip host xxx.xxx.xxx.xxx any
access-list 111 permit ip host xxx.xxx.xxx.xxx any
access-list 111 permit ip host xxx.xxx.xxx.xxx any
access-list 111 permit ip host xxx.xxx.xxx.xxx any
access-list 111 permit ip xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx any
access-list 111 permit ip xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx any
access-list 111 permit tcp any any eq 4662
access-list 111 permit tcp any any eq 4661
access-list 111 permit tcp host xxx.xxx.xxx.xxx eq ftp any
access-list 111 permit udp any any eq isakmp
access-list 111 permit udp any any eq 10000
access-list 111 permit tcp any any eq 10000
access-list 111 permit udp any eq isakmp any
access-list 111 permit udp any any eq non500-isakmp


Thanks for all