I have a server sitting on a 192.168.194.0/24 network and a vpn connection to 10.0.3.0/24. There is no problem with the vpn.
From my server at 192.168.194.10 I can ping the inside of the remote firewall at 10.0.3.2.
I can also ping a remote server at 10.0.3.7.
I can also ping an XP workstation at 10.0.3.59
I however cannot ping a printer 10.0.3.8 I cannot ping a switch at 10.0.3.6 I cannot ping another XP pc at 10.0.3.60
Locally on the server 10.0.3.7 I can ping every device mentioned so far, so they all are up, they are all valid addresses/hosts, and there are no windows firewalls or anything else blocking icmp.
10.0.3.2 and 10.0.3.8 are my two devices I'm concerned with below. I tried to ping and traceroute each from 192.168.194.10 in the following.
Pings (filtering for just ICMP):
Notice no replies from 10.0.3.8, just 4 requests.
Tracert to 10.0.3.8:
and that continues the same up to packet 41.
asked 11 Jan '13, 09:13
edited 11 Jan '13, 09:23
O.K. then the default gateway on subnet 10.0.3.0/24 is either not set correctly for all devices, or the connections from the other remote subnet are hidden (NAT) behind the internal IP of your firewall (10.0.3.2).
Can you please run tcpdump (or whatever capture tool your firewall provides) on the firewalls internal interface? If you see the ICMP request go to 10.0.3.8 (and 10.0.3.60), but you don't get a response, then the back route (default gateway) is not set correctly on those systems, or they have a wrong ARP cache entry for 10.0.3.2 (your firewall).
Just a dump idea. Did you check, that there is no 'historic' route for those IP addresses on the involved firewalls (both ends of the VPN tunnel)? However, then it probably would not work from another subnet either...
Are you really sure, there are packet filter rules to allow those packets on the involved firewalls?
To sum it up, please check these items:
answered 11 Jan '13, 12:26
Kurt Knochner ♦
edited 11 Jan '13, 13:11
I would guess that the devices you can't ping don't have default gateways/routers configured. So they can talk to anything on their subnet but nothing beyond the subnet.
answered 11 Jan '13, 10:16