Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

VPN works, but can't ping internal hosts

Status
Not open for further replies.

khilari

Technical User
Sep 21, 2005
25
US
i posted the question but forgot to submit it... thankfully google desktop search has indexed it.. so here is the screenshot of the question


pix5209tr.png
 
Khilari-

problem might be with an access-list or two. Can you provide us with your access-list?

Here is an example

access-list nonat permit ip 172.16.0.0 255.255.0.0 192.168.10.0 255.255.255.0 (access-list that allows traffic to flow between inside IP's to your IP pool)

nat (inside) 0 access-list nonat (tells PIX not to NAT access-list nonat)

This is just an example, have tosee how you have your PIX configured.

Frank
 
ok, i will upload the config and post a link in a min
 
Hi,

Are you connecting via the vpn client from behind another nat device ? If so, try adding 'isakmp nat-t' to your 520 config. This will allow nat traversal, something the pix sometimes struggles with when dealing with a natt'd address. Also, what version of code are you running ?

Regards Colin.
 
trying thru vpn client on a laptop..
laptop is ofcourse natting thru the router
its a VPN 520 firewalls...

sorry, i have to go rite now.. will check back in an hour... thanks for the help so far.
 
The version is 6.2(2)

I was also researching and found out about the

isakmp nat-traversal

The client i am using is also behind a pat device. I haven’t tried the connection through any public ip address. I am guessing that would work... You guys are right i guess, the natting/patting at both ends is a problem.
 
Khilari-

What are these access-lists for?
access-list split-tunnel permit ip 192.168.200.0 255.255.255.0 any
access-list split-tunnel permit ip 192.168.0.0 255.255.255.0 any

Looks a s if you are trying to do split-tunneling, if that is the case try this command instead

access-list 103 permit ip 192.168.0.0 255.255.255.0 192.168.200.0 255.255.255.0

then add the following commands..

vpngroup vpnwoodridge split-tunnel 103
vpngroup vpnwoodridge split-dns (your domain-name)

Frank
 
thanks fdurham... i will fix that rite now...

Update on the issue, I was told that i have to update the version to 6.3 to apply the "isakmp nat-traversal" command. Is it true?
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top