Hi Group,
I am trying to deploy a VPN solution and ran into a seemingly simple problem
which I cant seem able to resolve. I terminated the radio link from the ISP
on fa0/0 of my Cisco 2621 router. I connected fa0/1 of 2621 to e0/0, the
outside of my PIX 506 by cross cable and connected e0/1, the inside of PIX
to LAN switch. The inside network has address 10.240.77.0/24 and the VPN is
between Exchange server at 10.240.77.3 and the larger 10.240.0.0 network.
The ISP has assigned me the following IP addresses 66.135.55.171, .172, .173
and .174 from a subnet with mask 255.255.255.192. So I assigned .171 to
fa0/1 - inside of 2621, .172 to e0/0 - outside of PIX, .173 as global on PIX
for PAT and reserved .174 for a future VG.
I wanted to put the config thru its paces by pinging round the PIX. For
testing, I had entered on the PIX:
conduit permit ICMP any any
access-list aclout permit icmp any any
access-list aclin permit icmp any any
access-group aclout in interface outside
When I tried to apply aclin for outbound icmp, with the command:
access-group aclin out interface inside
the PIX responded with:
Type help or '?' for list of available commands.
When I repeated the command with ? at the end, the PIX responded with:
usage: [no] access-group in interface inside
It seemed the PIX only requires permitting inbound ICMP from the outside. So
I proceeded with the pings. My output is below:
>From Router:
NB: pixout, pixin and exchange are host entries on router for PIX outside
interface, PIX inside interface and exchange server with IP addresses
66.135.55.172, 10.240.77.1 and 10.240.77.3 respectively.
MyRouter#ping pixout
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 66.135.55.172, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
MyRouter#ping pixin
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.240.77.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
MyRouter#ping exchange
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.250.77.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
>From PIX:
NB: I used on the pix for name-to-IP address mapping the following:
names
name 66.135.55.171 gateway
name 10.240.77.3 exchange
PIX# ping gateway
gateway response received -- 0ms
gateway response received -- 0ms
gateway response received -- 0ms
PIX# ping exchange
exchange response received -- 0ms
exchange response received -- 0ms
exchange response received -- 0ms
PIX#
>From Exchange:
C:\>ping 10.240.77.1
Pinging 10.240.77.1 with 32 bytes of data:
Reply from 10.240.77.1: bytes=32 timeping 66.135.55.171
Pinging 66.135.55.171 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 66.135.55.171:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
C:\>ping 66.135.55.172
Pinging 66.135.55.172 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 66.135.55.172:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
C:\>
I can ping from the router thru the PIX to the Exchange server in the inside
network, from the PIX all around, from the Exchange to the PIX inside
interface but not from Exchange to the PIX outside interface and to the
router. I know it gotta be something simple, but cant seem able to figure it
out.
The PIX is 506E version 6.1(2). I will appreciate greatly if somebody will
just point to me what I'm missing.
TIA.
_________________________________________________________________
MSN 8 with e-mail virus protection service: 2 months FREE*
http://join.msn.com/?page=features/virus
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=57188&t=57188
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
