Why I can’t ping server on remote network from AWS through VPN

amazon-vpcamazon-web-servicesvpn

I've created a VPC in Amazon and created a number of subnets – both public and private.
1 of these subnets is a private subnet that has a linux server in it.
I've created a virtual private gateway for the private subnets and an internet gateway for the public subnets.

I have created a customer gateway with the correct settings for the partner firewall and a VPN connection that uses that customer gateway.
The other party has established a VPN tunnel to AWS and AWS reports the tunnel is up.
They have pinged the server in the private subnet in AWS and can see it successfully.

However I can't ping a server in their network from that same server in AWS. 

Their server is x.x.x.x (private ip on their network). 
My server ip is y.y.y.43 (private Ip in private subnet)

A traceroute from the server in aws to their server looks like this:

traceroute to x.x.x.x (private IP on their network), 30 hops max, 60 byte packets
1  * ec2-79-125-1-96.eu <http://ec2-79-125-1-96.eu> <http://ec2-79-125-1-96.eu> <http://ec2-79-125-1-96.eu>-west-1.compute.amazonaws.com <http://west-1.compute.amazonaws.com> <http://west-1.compute.amazonaws.com> (79.125.1.96)  2.494 ms ec2-79-125-1-102.eu <http://ec2-79-125-1-102.eu> <http://ec2-79-125-1-102.eu> <http://ec2-79-125-1-102.eu>-west-1.compute.amazonaws.com <http://west-1.compute.amazonaws.com> <http://west-1.compute.amazonaws.com> (79.125.1.102)  0.567 ms
2  178.236.0.138 (178.236.0.138)  1.390 ms 178.236.0.108 (178.236.0.108)  1.044 ms 176.32.106.132 (176.32.106.132)  0.625 ms
3  178.236.0.133 (178.236.0.133)  1.138 ms 178.236.0.117 (178.236.0.117)  7.105 ms 178.236.0.119 (178.236.0.119)  1.204 ms
4  213.242.106.85 (213.242.106.85)  1.319 ms !N ae3.dub40.ip4.gtt.net <http://dub40.ip4.gtt.net> <http://dub40.ip4.gtt.net> <http://dub40.ip4.gtt.net> (141.136.96.137)  1.321 ms !N 213.242.106.85 (213.242.106.85)  1.312 ms !N

The VPC route tables looks like this:

destination y.y.0.0/16 target=local
destination x.x.x.0/24 target=virtual gateway
destination my-public-ip-I'm-connecting-from target=internet gateway

Routing table on server looks like this:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         y.y.y.1     0.0.0.0         UG    0      0        0 eth0
0.0.0.0         y.y.y.1     0.0.0.0         UG    10001  0        0 eth1
y.y.y.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
y.y.y.0     0.0.0.0         255.255.255.0   U     0      0        0 eth1
169.254.169.254 0.0.0.0         255.255.255.255 UH    0      0        0 eth0

I have a security group associated with that server that allows ICMP and SSH incoming from my public IP I'm connecting to AWS from, outbound everything to everywhere.

I have a network ACL associated with that server that allows ICMP and SSH incoming from my public IP, outbound everything to everywhere.

How come I can't ping the server on their network? How come the traceroute seems to be looking for public IPs?

Best Answer

So despite repeated requests to verify that ICMP was allowed on the other network, it appears that it wasn't. Once they turned it on, everything worked.

Related Topic