PIX | SAA: can a ping host the outdoor iface inside?

Hello

I know how to configure a PIX / ASA in order to control the hosts on different interfaces to ping these interfaces or ping hosts in other segments through the firewall.

But I would like to know if it is possible to ping the external interface of a host segment inside. Or is it impossible?

Thank you

IXF

Hello

all I know is not possible not even if your acl allow icmp. You can only ping your connected to the interface.

Martin

Tags: Cisco Security

Similar Questions

Comments can not ping host in a guest only network

Hello
I have a Win XP SP2 guest OS running in VmWare Workstation 7.1.0 build 261024 on a Win XP SP3 host OS.
The virtual machine network is configured in the Config setting.
Problem: Can't ping guest operating system host OS, but the other way works, I ping guest operating system of the host.
Here are the details of config:
Host config:
IP address: 192.168.1.100
subnet mask: 255.255.255.0
default gateway: 192.168.1.1
Config of comments:
IP address: 192.168.117.128
network mask: 255.255.255.0
default gateway: it is empty
DHCP server: 192.168.117.254
Configuration of Vmnet1:
IP address: 192.168.117.1
NET Mask: 255.255.255.0
default gateway: white
When I ping 192.168.1.100 (Host IP) or 192.168.1.1 (Default Gateway) of the customer (192.168.117.128), I get a message from Destination unreachable in both cases. Please advise on this issue.
Kind regards
Neon

Welcome to the community,

Since it is a host-only network, you can test only the vmnet on the host (192.168.117.1) adapter.

If you want to be able to access the other IP addresses, you must configure the NAT is connected by a bridge.

André

8 Win 64 pro can not see my PVR, can it ping with the IP address, but not windows name network can't see at all.

8 Win 64 pro cannot see PVR, can ping by IP, but not by name. Another computer laptop win 7, can see PVR and ping by IP address or name. 8 Win can see win 7 laptop.

What should I do to get the win 8 portable see PVR.

Thank you

See http://www.tvix.co.kr/ENG/faq/default.aspx?bserial=0&act=RD&id=390 .

There may be a problem of security of Windows 8. Versions of Windows are more strict on security policies. DIVCO must pay the Samba, unless the option is open to you as a user.

ping for the pix vpn problem

Hello

I got a pix 501 (6.3 - 4) on a local network and try to use Cisco VPN Client (4.0.2-D) on a remote pc.

I can open a vpn session.

I can't ping from the remote pc to the LAN

I can ping from any station on the LAN to the remote pc

After that I did a ping of a station on the LAN to the remote pc, I ping the remote computer to the local network.

I am so newb, trying for 2 days changing ACLs, no way.

I must say that I am in dynamic ip wan on the local network and the remote pc.

Any idea about this problem?

Any help is welcome.

Here is the configuration of my pix:

6.3 (4) version PIX

interface ethernet0 10baset

interface ethernet1 100full

ethernet0 nameif outside security0

nameif ethernet1 inside the security100

activate the password * encrypted

passwd * encrypted

pixfirewall hostname

domain ciscopix.com

clock timezone THATS 1

clock to summer time CEDT recurring last Sun Mar 02:00 last Sun Oct 03:00

fixup protocol dns-length maximum 512

fixup protocol ftp 21

correction... /...

fixup protocol tftp 69

names of

name 192.168.42.0 Dmi

inside_access_in ip access list allow a whole

inside_outbound_nat0_acl ip access list allow any 192.168.229.0 255.255.255.0

outside_cryptomap_dyn_20 ip access list Dmi 255.255.255.0 allow 192.168.229.32 255.255.255.224

access-list outside_cryptomap_dyn_20 allow icmp a whole

pager lines 24

opening of session

logging trap information

Outside 1500 MTU

Within 1500 MTU

IP address outside the 209.x.x.x.255.255.224

IP address inside 192.168.42.40 255.255.255.0

alarm action IP verification of information

alarm action attack IP audit

IP local pool dmivpndhcp 192.168.229.1 - 192.168.229.254

location of PDM 192.168.229.1 255.255.255.255 outside

209.165.x.x.x.255.255 PDM location inside

209.x.x.x.255.255.255 PDM location outdoors

PDM logging 100 information

history of PDM activate

ARP timeout 14400

Global 1 interface (outside)

NAT (inside) 0-list of access inside_outbound_nat0_acl

NAT (inside) 1 0.0.0.0 0.0.0.0 0 0

Route outside 0.0.0.0 0.0.0.0 209.165.200.225 1

Timeout xlate 0:05:00

Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225

H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00

Timeout, uauth 0:05:00 absolute

GANYMEDE + Protocol Ganymede + AAA-server

AAA-server GANYMEDE + 3 max-failed-attempts

AAA-server GANYMEDE + deadtime 10

RADIUS Protocol RADIUS AAA server

AAA-server RADIUS 3 max-failed-attempts

AAA-RADIUS deadtime 10 Server

AAA-server local LOCAL Protocol

Enable http server

Dmi 255.255.255.0 inside http

No snmp server location

No snmp Server contact

SNMP-Server Community public

No trap to activate snmp Server

TFTP server inside the 192.168.42.100.

enable floodguard

Permitted connection ipsec sysopt

AUTH-prompt quick pass

AUTH-guest accept good

AUTH-prompt bad rejection

Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

Crypto-map dynamic outside_dyn_map 20 the value transform-set ESP-3DES-SHA

Dynamic crypto map dynmap 20 match address outside_cryptomap_dyn_20

map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map

outside_map interface card crypto outside

ISAKMP allows outside

ISAKMP identity address

part of pre authentication ISAKMP policy 20

ISAKMP policy 20 3des encryption

ISAKMP policy 20 chopping sha

20 2 ISAKMP policy group

ISAKMP duration strategy of life 20 86400

vpngroup address dmivpndhcp pool dmivpn

vpngroup dns 192.168.42.20 Server dmivpn

vpngroup dmivpn wins server - 192.168.42.20

vpngroup dmivpn by default-field defi.local

vpngroup idle 1800 dmivpn-time

vpngroup password dmivpn *.

Telnet timeout 5

SSH timeout 5

Console timeout 0

VPDN username vpnuser password *.

VPDN allow outside

VPDN allow inside

dhcpd address 192.168.42.41 - 192.168.42.72 inside

dhcpd lease 3600

dhcpd ping_timeout 750

Terminal width 80

Cryptochecksum: *.

Noelle,

Add the command: (in config mode): isakmp nat-traversal

Let me know if it helps.

Jay

Super screen sensitive like I can't turn off the laptop and hear a clicking noise when the lid is closed

I am running Windows 7 on a computer Tablet laptop of Dell Latitude (it has a touch screen that is not removable, but it turns). My problem is that I can not shut down this computer and carry it from one place to the other without losing all my battery power: you can hear 'ping' when the lid is lowered. If I have to carry that I have to turn off completely, otherwise it will just keep producing this ping and use my battery. Everyone knows this?

This ping me makes me believe that a key is pressed, perhaps due to a letter from the keyboard that is stuck or is bad, or possibly a defect of the product.

Can not connect to the Oracle application server management page
Hello

I installed Oracle Application server 10g (10.1.2) on Solaris server.

I can connect to host the server Apps page

http:// < xxxx >: 7777 / - it works.

However, I am not able to connect to the control page
There is a link to it on the right side of the home page.
"
To manage and monitor Oracle Application Server, connect to Oracle Enterprise Manager 10 g Application Server Control:
"username: ias_admin"

http:// < xxxx >: 1156 / - it don't work -

What could be the problem?

Thank you
Rane

Published by: dgrane on November 21, 2008 16:29
Default password for user 'oc4jadmin! I'm not aware of this user in 10.1.2.x, maybe there's one of OC4J side but not otherwise. If you are looking for credentials to connect to OracleAS controls (EM), the username is "ias_admin" and password is the one you specified during the installation. There is no default password. Refer to this:
http://download.Oracle.com/docs/CD/B14099_19/core.1012/b13995/tools.htm#i1075023

Thank you
Shail

Established but LAN-to-Lan tunnel can not ping to a host on the inside

We have two cisco vpn concentrator (3005).

Behind, we use 172.20.167.0/24 (Headquarters)

Behind, we use 172.20.184.0/24 (remote desktop)

We are starting to do a lan-to-lan tunnel, the tunnel establishes no problem.

the only problem is that I can ping only the inside interface of the

hub of central administration. I can't ping (or other

communicate to) hosts

on each subnet.

On each side, you must make sure that all your hosts know that the road to the other network is by the local hub or using static routes on each host, or adding routing appropriate on any device is your default gateway.

HTH

Comments can ping host, but host cannot ping the prompt.

Hello. I already asked this question in another discussion, but it has a different title, so I decided to ask my question in a new discussion.
Host: Windows 7, 192.168.186.1, no gateway IP
Client: Windows XP, 192.168.186.2, no gateway IP
If the ping of the comments reached the host. But when I try to ping the host's comments, I get '100% packet loss. How it could be explained?

I take a look at the Windows Firewall on computers and make sure that it is disabled.

PIX - static and port redirection to the same host

Version 6.2 of the PIX

I was watching the following config:

static (inside, outside) 172.18.124.99 tcp telnet 10.1.1.6 telnet netmask 255.255.255.255 0 0

static (inside, outside) 172.18.124.99 tcp ftp 10.1.1.3 ftp netmask 255.255.255.255 0 0

static (inside, outside) 172.18.124.208 tcp telnet 10.1.1.4 telnet netmask 255.255.255.255 0 0

public static tcp (indoor, outdoor) interface 10.1.1.5 telnet telnet netmask 255.255.255.255 0 0

public static tcp (indoor, outdoor) interface 10.1.1.5 www www netmask 255.255.255.255 0 0

static (inside, outside) tcp 172.18.124.208 www 8080 10.1.1.7 netmask 255.255.255.255 0 0

go to this URL,

http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_tech_note09186a0080094aad.shtml#topic11

and I was wondering if the following configuration will work or not:

static (Inside, Outside) 172.18.124.10 TCP 10.1.1.10 netmask 255.255.255.255 0 0

static (Inside, Outside) 172.18.124.10 TCP 10.1.1.10 netmask 255.255.255.255 0 0

Thanks in advance for any input.

Ariel

Yes, it'll be OK. What you can't have is the following:

static (Inside, Outside) 172.18.124.10 TCP 10.1.1.10 netmask 255.255.255.255 0 0

static (Inside, Outside) 172.18.124.10 TCP 10.1.1.10 netmask 255.255.255.255 0 0

and you can't have:

static (Inside, Outside) 172.18.124.10 TCP 10.1.1.10 netmask 255.255.255.255 0 0

static (Inside, Outside) 172.18.124.10 TCP 10.1.1.10 netmask 255.255.255.255 0 0

In other words, you cannot map the port itself to two different ports, in both directions. The PIX will get confused when it receives a packet on the duplicate port and does not know what a host to map to. As everything inside and outside ports map to unique ports on the other interface then you're OK.

The VPN Clients cannot Ping hosts

I'll include a post my config. I have clients that connect through the VPN tunnel on the 180.0.0.0/24 network, 192.168.1.0/24 is the main network for the office.

I can connect to the VPN, and I received a correct address assignment. I belive tunneling can be configured correctly in the aspect that I can always connect to the internet then on the VPN, but I can't ping all hosts on the 192.168.1.0 network. In the journal of the ASDM debugging, I see pings to the ASA, but no response is received on the client.

February 21, 2013

21:54:26

180.0.0.1

53508

192.168.1.1

Built of ICMP incoming connections for faddr gaddr laddr 192.168.1.1/0 (christopher) 192.168.1.1/0 180.0.0.1/53508

Any help would be greatly appreciated, I'm currently presuring my CCNP so I would get a deeper understanding of how to resolve these issues.

-Chris

hostname RegencyRE - ASA

domain regencyrealestate.info

activate 2/VA7dRFkv6fjd1X of encrypted password

2KFQnbNIdI.2KYOU encrypted passwd

names of

name 180.0.0.0 Regency

interface Ethernet0/0

switchport access vlan 2

interface Ethernet0/1

link to the description of REGENCYSERVER

interface Ethernet0/2

interface Ethernet0/3

interface Ethernet0/4

interface Ethernet0/5

interface Ethernet0/6

interface Ethernet0/7

link to the description of RegencyRE-AP

interface Vlan1

nameif inside

security-level 100

192.168.1.120 IP address 255.255.255.0

interface Vlan2

nameif outside

security-level 0

IP x.x.x.x 255.255.255.248

passive FTP mode

clock timezone PST - 8

clock summer-time recurring PDT

DNS lookup field inside

DNS domain-lookup outside

DNS server-group DefaultDNS

Server name 208.67.220.220

name-server 208.67.222.222

domain regencyrealestate.info

inside_nat0_outbound to access ip 192.168.1.0 scope list allow 255.255.255.0 Regency 255.255.255.224

RegencyRE_splitTunnelAcl list standard access allowed 192.168.1.0 255.255.255.0

outside_access_in list extended access permit icmp any one

pager lines 24

Enable logging

asdm of logging of information

Within 1500 MTU

Outside 1500 MTU

mask Regency 180.0.0.1 - 180.0.0.20 255.255.255.0 IP local pool

ICMP unreachable rate-limit 1 burst-size 1

ICMP allow any inside

ICMP allow all outside

ASDM 255.255.255.0 inside Regency location

ASDM location 192.168.0.0 255.255.0.0 inside

don't allow no asdm history

ARP timeout 14400

Global 1 interface (outside)

NAT (inside) 0-list of access inside_nat0_outbound

Access-group outside_access_in in interface outside

Route outside 0.0.0.0 0.0.0.0 12.186.110.2 1

Route inside 192.0.0.0 255.0.0.0 192.168.1.102 1

Timeout xlate 03:00

Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

Floating conn timeout 0:00:00

dynamic-access-policy-registration DfltAccessPolicy

the ssh LOCAL console AAA authentication

LOCAL AAA authentication serial console

http server enable 8443

http 0.0.0.0 0.0.0.0 outdoors

http 0.0.0.0 255.255.255.0 inside

No snmp server location

No snmp Server contact

Server enable SNMP traps snmp authentication linkup, linkdown cold start

Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac

Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac

Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac

Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac

Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac

Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac

Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

life crypto ipsec security association seconds 28800

Crypto ipsec kilobytes of life - safety 4608000 association

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set

Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5

outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

outside_map interface card crypto outside

crypto ISAKMP allow outside

crypto ISAKMP policy 10

preshared authentication

3des encryption

sha hash

Group 2

life 86400

Telnet timeout 5

SSH 0.0.0.0 0.0.0.0 inside

SSH 0.0.0.0 0.0.0.0 outdoors

SSH timeout 15

SSH version 2

Console timeout 0

dhcprelay Server 192.168.1.102 inside

a basic threat threat detection

Statistics-list of access threat detection

no statistical threat detection tcp-interception

NTP server 69.25.96.13 prefer external source

NTP server 216.171.124.36 prefer external source

WebVPN

internal RegencyRE group strategy

attributes of Group Policy RegencyRE

value of server DNS 208.67.220.220 208.67.222.222

Protocol-tunnel-VPN IPSec

Split-tunnel-policy tunnelspecified

value of Split-tunnel-network-list RegencyRE_splitTunnelAcl

username password encrypted adriana privilege 0

christopher encrypted privilege 15 password username

irene encrypted password privilege 0 username

type tunnel-group RegencyRE remote access

attributes global-tunnel-group RegencyRE

Regency address pool

Group Policy - by default-RegencyRE

IPSec-attributes tunnel-group RegencyRE

pre-shared key R3 & eNcY1.

class-map inspection_default

match default-inspection-traffic

type of policy-card inspect dns preset_dns_map

parameters

maximum message length automatic of customer

message-length maximum 512

Policy-map global_policy

class inspection_default

inspect the preset_dns_map dns

inspect the ftp

inspect h323 h225

inspect the h323 ras

Review the ip options

inspect the netbios

inspect the rsh

inspect the rtsp

inspect the skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect the tftp

inspect the sip

inspect xdmcp

global service-policy global_policy

context of prompt hostname

no remote anonymous reporting call

call-home

Profile of CiscoTAC-1

no active account

http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address

email address of destination [email protected] / * /

destination-mode http transport

Subscribe to alert-group diagnosis

Subscribe to alert-group environment

Subscribe to alert-group monthly periodic inventory

monthly periodicals to subscribe to alert-group configuration

daily periodic subscribe to alert-group telemetry

Cryptochecksum:35bc3a41701f7f8e9dde5fa35532896d

: end

Hello

-be sure that the destination host 192.168.1.x has a route towards 180.0.0.0 by the ASA gateway.

-Configure the following figure:

capture capin interface inside match icmp 192.168.1.x host 180.0.0.x

capture ASP asp type - drop all

then make a continuous ping and get 'show capin cap' and 'asp cap.

-then check the ping, the 'encrypted' counter is increasing in the VPN client statistics

I would like to know about it, hope this helps

----

Mashal

My local network works, but why I can't ping? LAN works but not internet. A simple quest to the Jedi.

Hi all!

I have weird problem and I hope some of you can enlighten us if necessary.

The background:

My OS is Windows Vista Home Premium SP 2. One day, I installed an application proxy - ProxyCap - as a free trial for 30 days. The application installed a few dll Winsock provider. After the 30 day trial, I uninstalled the app. Then the problems started. Even if the application proxy has been disabled, regular internet links have been completely normal and not affected. It was only after uninstalling the app that I have problems.

The problem:
- The computer is unable to connect one more to any website using the browser.
- My local network seems to be fully functional, which involves a problem of setting the software. I say that my LAN is functional if I am going to sign--> Network and Sharing Center--> view status and look under the "Activity" section, I see the link send and receive packets without problem.
- If I go into control panel of--> Network and Sharing Center--> view status of--> diagnosis, I get the message: "cannot communicate with DNS Server (xxx.xx.xxx.xxx) Network Diagnostics ping to the remote host, but has not received a response."
- Indeed, if go to start--> cmd and ping my DNS server, I get a general failure for all 4 packets sent.
- However, I am able to ping my localhost to 127.0.0.1
My settings:
- My ipconfig/all output: http://pastebin.com/Ksn2k2ja
- DHCP is enabled.
- For the properties of connection LAN--> Internet Protocol Version 4 (TCP/IPv4)--> properties, I 'IP automatically get an address' and "Obtain DNS server address automatically" selected.
- The same goes for--> Internet Protocol Version 6 (TCP/IPv6)--> properties.
- The Sysinternal autoruns--> tab providers Winsock application, tells me that I have the "Hello Namespace Provider' active as a WinSock2 registry entry. It is mdnsNSP.dll and published by Apple Inc.. Who was present before installation of the proxy, and this is for iTunes. Screenshot: http://i1300.photobucket.com/albums/ag86/applemeetworm/winsock_zpsb41ca872.jpg
What I tried:
- I tried to reset Winsock for Vista by clicking Start--> cmd and type netsh winsock reset , and restart the computer.
- I tried to reset the TCP/IP stack by clicking Start--> cmd and type netsh int ip reset c:\resetlog.txt and restart the computer.
- Restart my router.
- Deactivation and activation then my connection to the local network.
Thank you all for helping me with my problem. I would be happy to provide more information as needed. Thanks for the research and thanks offering solutions.

See you soon!

Hi all!

I contacted ProxyCap and support staff has been able to solve the problem.

Apparently, one of my entries in registry Winsock2 (Winsock2, Namespace Catalog5, 5 catalog entries) has been disabled somehow, uninstalling or in my first attempts to address issues after uninstall.

Thanks to ProxyCap and for other people who have tried to help.

~ Congratulations ~.

Diagnostics network ping to the remote host, but has not received a response

I'm trying to figure out if there is a problem with just my laptop not wanting to connect to a local free WiFi, so any help is appreciated. He worked two days ago only to stop abruptly last night.

Windows Network Diagnostics comes back with the error message "Can not contact www.microsoft.com (65.55.12.249)" and "diagnostic network ping to the remote host, but has not received a response.

The only repair option it evokes is ' reset NIC 'wireless network connection ' '.

I can always connect to WiFi using my iPhone, and even a connected laptop computer work Companion. Yet once, if this can be fixed on my end, any help would be appreciated.

Hello BrenJones,

Thanks for posting back. DNS servers are controlled by your ISP. I communicate with your Internet service provider and confirm that you have the good DNS for your network.

Hope this helps J

Adam
Microsoft Answers Support Engineer
Visit our Microsoft answers feedback Forum and let us know what you think

Cisco 5505, inside, I cannot ping the external IP of the router, but inside I can ping anything else

Hello

5505 Cisco's internal IP: 10.10.0.1 static, securty level 100

External IP of Cisco 5505: 36.X.X.23 Dhcp, 0 security level

of within peut all host external example ping by host 10.10.0.3 to google.com

inside peut ping all domestic example of the host, host 10.10.0.3 to 10.10.0.5 included the internal IP of Cisco 10.10.0.1

inside peut ping ip network address different on the same network from my router external example the host 36.x.x.25

cannot ping inside the IP 36.X.X.23?

from outside peuvent ping the IP 36.X.X.23

outside peuvent ping different extenal network 36.X.X.X network ip

How can I ping the 36.X.X.23 of the Interior, any suggestions?

It's called background management which is not supported in the ASA

https://Tools.Cisco.com/bugsearch/bug/CSCtd86651

That's why is not and this will never work the ASA design does not

It will be useful.

Ping on the PIX firewall

Is it possible to ping directly from low security high security without translations on a PIX?

For example, 192.168.2.90 is currently natted to 10.0.0.4 by the pix. I want to ping directly from 192.168.2.4 to 10.0.0.4.

I can certainly ping directly from 10.0.0.4 to 192.168.2.4.

Please let me know if you would like to see the complete config.

I hope I understand your question completely. You try to ping from one interface to another on your PIX. This URL explains how this can be done.

http://www.Cisco.com/warp/public/110/31.html

Cannot ping via the VPN client host when static NAT translations are used

Hello, I have a SRI 3825 configured for Cisco VPN client access.

There are also several hosts on the internal network of the static NAT translations have a services facing outwards.

Everything works as expected with the exception that I cannot ping hosts on the internal network once connected via VPN client that is internal IP addresses have the static NAT translations in external public addresses, I ping any host that does not have static NAT translation.

For example, in the example below, I cannot ping 192.168.1.1 and 192.168.1.2, but I can ping to the internal interface of the router, and any other host on the LAN, I can ping all hosts in the router itself.

Any help would be appreciated.

Concerning

!

session of crypto consignment

!

crypto ISAKMP policy 10

BA 3des

preshared authentication

Group 2

!

ISAKMP crypto client configuration group vpnclient

key S3Cu4Ke!

DNS 192.168.1.1 192.168.1.2

domain domain.com

pool dhcppool

ACL 198

Save-password

PFS

netmask 255.255.255.0

!

!

Crypto ipsec transform-set-SECURE 3DES esp-3des esp-sha-hmac

!

Crypto-map dynamic dynmap 10

86400 seconds, life of security association set

game of transformation-3DES-SECURE

market arriere-route

!

card crypto client cryptomap of authentication list drauthen

card crypto isakmp authorization list drauthor cryptomap

client configuration address card crypto cryptomap answer

map cryptomap 65535-isakmp ipsec crypto dynamic dynmap

!

interface GigabitEthernet0/0

NAT outside IP

IP 1.2.3.4 255.255.255.240

cryptomap card crypto

!

interface GigabitEthernet0/1

IP 192.168.1.254 255.255.255.0

IP nat inside

!

IP local pool dhcppool 192.168.2.50 192.168.2.100

!

Note access-list 198 * Split Tunnel encrypted traffic *.
access-list 198 allow ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

!
Note access-list 199 * NAT0 ACL *.
access-list 199 deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
access-list 199 permit ip 192.168.1.0 0.0.0.255 any

!

Sheep allowed 10 route map
corresponds to the IP 199

!
IP nat inside source map route sheep interface GigabitEthernet0/0 overload

!

IP nat inside source static 192.168.1.1 1.2.3.5
IP nat inside source static 192.168.1.2 1.2.3.6

The problem seems to be that static NAT take your nat exemption.

The solution would be:

IP nat inside source static 192.168.1.1 1.2.3.5 sheep map route
IP nat inside source static 192.168.1.2 1.2.3.6 sheep map route

HTH

Herbert

PIX | SAA: can a ping host the outdoor iface inside?

Similar Questions

Maybe you are looking for