I realized a star shaped VPN among a Cisco 837 (hub) and a bunch of cheap
Zyxels 652 (remotes).

I am able to establish ICMP communications (send receive) among hosts on a
given LAN and hosts on the other LAN. Other protocols and applications also
work correctly (UDP/TCP, remote control software, data transfer software
etc.).

I realized I could not do the same from my Cisco router, i.e. it cannot ping
any hosts on the remote LAN. I cannot even ping the LAN interface of the
remote router.

Following a "trace" command I learned the router just sends its ICMP packets
at its default gateway (interface dialer0, being this a PPPoE-type
connection), where they are soon lost, being addressed to a private LAN.

How can I tell my router to send packets addressed to my remote LANs towards
the IPSec tunnels?

Thanks for any suggestion.


Mirko

In article <bFuOc.76364$5D1.3824121@news4.tin.it>, nospam@nospam.it 
says...
> I realized a star shaped VPN among a Cisco 837 (hub) and a bunch of cheap
> Zyxels 652 (remotes).
> 
> I am able to establish ICMP communications (send receive) among hosts on a
> given LAN and hosts on the other LAN. Other protocols and applications also
> work correctly (UDP/TCP, remote control software, data transfer software
> etc.).
> 
> I realized I could not do the same from my Cisco router, i.e. it cannot ping
> any hosts on the remote LAN. I cannot even ping the LAN interface of the
> remote router.
> 
> Following a "trace" command I learned the router just sends its ICMP packets
> at its default gateway (interface dialer0, being this a PPPoE-type
> connection), where they are soon lost, being addressed to a private LAN.
> 
> How can I tell my router to send packets addressed to my remote LANs towards
> the IPSec tunnels?
> 
> Thanks for any suggestion.
> 
> 

You need to specify your routers (ping source) address in your crypto 
access list. You also need to be sure which address is your source 
address when you ping from the router (it is possible to specify source 
address using extended ping).

-- 
-Ivan.

*** Use Rot13 to see my eMail address ***

On Fri, 30 Jul 2004 11:26:47 -0500, Mirko wrote:

> I realized a star shaped VPN among a Cisco 837 (hub) and a bunch of
> cheap Zyxels 652 (remotes).
> 
> I am able to establish ICMP communications (send receive) among hosts on
> a given LAN and hosts on the other LAN. Other protocols and applications
> also work correctly (UDP/TCP, remote control software, data transfer
> software etc.).
> 
> I realized I could not do the same from my Cisco router, i.e. it cannot
> ping any hosts on the remote LAN. I cannot even ping the LAN interface
> of the remote router.
> 
> Following a "trace" command I learned the router just sends its ICMP
> packets at its default gateway (interface dialer0, being this a
> PPPoE-type connection), where they are soon lost, being addressed to a
> private LAN.
> 
> How can I tell my router to send packets addressed to my remote LANs
> towards the IPSec tunnels?
> 
> Thanks for any suggestion.
> 
> 
> Mirko
 
You want to source the ping from the lan interface via extended ping.
Type "ping ip" and hit enter.  You will be prompted for more information,
 including the source interface.

Rik Bain

Ivan,
        you were right as both suggestions were necessary for this to work.

I opened ICMP on inbound interface (dialer0) from "remote private LAN" to
"local private LAN".

Being still unsuccesful in pinging the remote host from my router, I used
"extended ping" to specify ethernet0 as the source of the ICMP request. I
also used "debug ip ICMP" to gather useful informations.

This worked as I started to receive echo replies from the remote hosts.

Now I wonder: how does the IOS select the default interface to stamp its
ping packets with? Is it possible to have it changed to the ethernet0 by
default?

Thanks for your advice.


Mirko


"Ivan Ostres" <vina.bfgerf@mt.ugarg.ue> ha scritto nel messaggio
news:MPG.1b74c0bd756810129896c1@news.individual.net...
> In article <bFuOc.76364$5D1.3824121@news4.tin.it>, nospam@nospam.it
> says...
> > I realized a star shaped VPN among a Cisco 837 (hub) and a bunch of
cheap
> > Zyxels 652 (remotes).
> >
> > I am able to establish ICMP communications (send receive) among hosts on
a
> > given LAN and hosts on the other LAN. Other protocols and applications
also
> > work correctly (UDP/TCP, remote control software, data transfer software
> > etc.).
> >
> > I realized I could not do the same from my Cisco router, i.e. it cannot
ping
> > any hosts on the remote LAN. I cannot even ping the LAN interface of the
> > remote router.
> >
> > Following a "trace" command I learned the router just sends its ICMP
packets
> > at its default gateway (interface dialer0, being this a PPPoE-type
> > connection), where they are soon lost, being addressed to a private LAN.
> >
> > How can I tell my router to send packets addressed to my remote LANs
towards
> > the IPSec tunnels?
> >
> > Thanks for any suggestion.
> >
> >
>
> You need to specify your routers (ping source) address in your crypto
> access list. You also need to be sure which address is your source
> address when you ping from the router (it is possible to specify source
> address using extended ping).
>
> -- 
> -Ivan.
>
> *** Use Rot13 to see my eMail address ***

Thanks Rik I tried it and by also opening the firewall to ICMP replies it
worked well.

Mirko

"Rik Bain" <rik@remove.bainz.org> ha scritto nel messaggio
news:410aa4bf$0$94552$ec3e2dad@news.usenetmonster.com...
> On Fri, 30 Jul 2004 11:26:47 -0500, Mirko wrote:
>
> > I realized a star shaped VPN among a Cisco 837 (hub) and a bunch of
> > cheap Zyxels 652 (remotes).
> >
> > I am able to establish ICMP communications (send receive) among hosts on
> > a given LAN and hosts on the other LAN. Other protocols and applications
> > also work correctly (UDP/TCP, remote control software, data transfer
> > software etc.).
> >
> > I realized I could not do the same from my Cisco router, i.e. it cannot
> > ping any hosts on the remote LAN. I cannot even ping the LAN interface
> > of the remote router.
> >
> > Following a "trace" command I learned the router just sends its ICMP
> > packets at its default gateway (interface dialer0, being this a
> > PPPoE-type connection), where they are soon lost, being addressed to a
> > private LAN.
> >
> > How can I tell my router to send packets addressed to my remote LANs
> > towards the IPSec tunnels?
> >
> > Thanks for any suggestion.
> >
> >
> > Mirko
>
> You want to source the ping from the lan interface via extended ping.
> Type "ping ip" and hit enter.  You will be prompted for more information,
>  including the source interface.
>
> Rik Bain

In article <L3SOc.62121$OR2.3471977@news3.tin.it>, nospam@nospam.it 
says...
> Subject: Re: IPSec VPN OK, cannot ping from router to hosts on remote LAN
> From: "Mirko" <nospam@nospam.it>
> Organization: TIN
> Newsgroups: comp.dcom.sys.cisco
> 
> Ivan,
>         you were right as both suggestions were necessary for this to work.
> 
> I opened ICMP on inbound interface (dialer0) from "remote private LAN" to
> "local private LAN".
> 
> Being still unsuccesful in pinging the remote host from my router, I used
> "extended ping" to specify ethernet0 as the source of the ICMP request. I
> also used "debug ip ICMP" to gather useful informations.
> 
> This worked as I started to receive echo replies from the remote hosts.
> 
> Now I wonder: how does the IOS select the default interface to stamp its
> ping packets with? Is it possible to have it changed to the ethernet0 by
> default?
> 
> Thanks for your advice.
> 
> 

You don't have to use extended ping (all the options) to set the source 
address. You can do it directly:

ping 1.2.3.4 source 1.1.1.1 

(this is from top of my head so it may be wrong, but ? will give you 
right syntax).

You can also look at:

ip ping ? 

output to see if it's possible to set source up. Sorry, I don't have any 
router close to me to check it out.


-- 
-Ivan.

*** Use Rot13 to see my eMail address ***