Allow ICMP via access lists
Agent6376
Member Posts: 201
in CCNA & CCENT
Hello TE friends,
I have a client here in New Orleans that has two Pix 501 firewalls: One is located here, and another is in Virginia. I'll state as much information I can without being able to post the actual config.
New Orleans Network
192.168.0.0 /24
NAT enabled
Virginia Network
192.168.147.0 /24
NAT enabled as well.
I've configured each of the Pix's to establish an IP sec tunnel with one another using a pre-shared key, and from the debug outputs-it's completing both phase 1 and phase 2. The issue is that I can't confirm that the routers can communicate with one another's local subnets successfully.
I'm not very experienced with the Cisco IOS and I only modified a mostly completed configuration after the Virginia location changed ISPs and IP address information.
On each router, I cannot ping 4.2.2.1.
I can ping from New Orleans to Virginia's router
I cannot ping from Virginia's router to New Orleans.
At this point I think that the issue isn't with the tunnel necessarily, but ICMP packets aren't getting past the access lists.
NAT is bound to an access list that basically states:
access-list permit icmp any any
access-list permit ip (local subnet id, local mask) (remote subnet id, remote mask)
If there's anyone who can lend a Cisco newb some advice I sure would appreciate it.
TIA
I have a client here in New Orleans that has two Pix 501 firewalls: One is located here, and another is in Virginia. I'll state as much information I can without being able to post the actual config.
New Orleans Network
192.168.0.0 /24
NAT enabled
Virginia Network
192.168.147.0 /24
NAT enabled as well.
I've configured each of the Pix's to establish an IP sec tunnel with one another using a pre-shared key, and from the debug outputs-it's completing both phase 1 and phase 2. The issue is that I can't confirm that the routers can communicate with one another's local subnets successfully.
I'm not very experienced with the Cisco IOS and I only modified a mostly completed configuration after the Virginia location changed ISPs and IP address information.
On each router, I cannot ping 4.2.2.1.
I can ping from New Orleans to Virginia's router
I cannot ping from Virginia's router to New Orleans.
At this point I think that the issue isn't with the tunnel necessarily, but ICMP packets aren't getting past the access lists.
NAT is bound to an access list that basically states:
access-list permit icmp any any
access-list permit ip (local subnet id, local mask) (remote subnet id, remote mask)
If there's anyone who can lend a Cisco newb some advice I sure would appreciate it.
TIA
Comments
-
peanutnoggin
Member Posts: 1,096 ■■■□□□□□□□
Can you verify your router's default gateway or gateway of last resort? Run a "show ip route" from enable mode and that should tell you. Your previous ISP's IP address may be set as the default network, default gateway or gateway of last resort. I hope this helps.
~Peanut
BTW, New Orleans is my home town... I still have plenty of family living in the inner city in the 7th, 8th, and 9th wards. Always good to see a fellow New Orleanian.We cannot have a superior democracy with an inferior education system!
-Mayor Cory Booker -
Agent6376
Member Posts: 201
We New Orleanian's are like family
As for the issue, the default routes were ok. I was thrown off because I couldn't ping any of the hosts, but someone told me that Pix firewalls wont ping hosts? Whether that's true or not I dont know, but when the command "show crypto ipsec sa" was entered, I see packets being encapsulated and decapsulated across the tunnel-so from what I see it's up.