Solved

LAN To LAN VPN between 3005 Concentrator and Netscreen

Posted on 2008-10-03
2
305 Views
Last Modified: 2012-08-14
VPN Tunnel is up between sites however some ip address are not pingable behind the 3005 Concentrator  side ... 10.9.2.x network .


Network:
Edge Router: - (switch where outside concentrator resides) PIX- Core Switch


Pix Firewall
ip address outside 172.16.1.2 255.255.255.0 ( Nat from edge router)
ip address inside 10.9.2.160 255.255.255.0
ip address dmz 192.168.1.254 255.255.255.0
route outside 0.0.0.0 0.0.0.0 172.16.1.1 1
route inside 10.9.1.0 255.255.255.0 10.9.2.223 1
route inside 10.9.6.0 255.255.255.0 10.9.2.160 1
route inside 10.10.1.0 255.255.255.0 10.9.2.223 1
route inside 10.10.0.0 255.255.0.0 10.9.2.223 1

Concentrator

Outside
2xx.xxx.xxx.xxx
inside :10.9.1.15


Core Switch

interface Vlan1
 ip address 10.9.2.223 255.255.255.0
 ipx network 1560B encapsulation SAP
!
interface Vlan2
 ip address 10.9.1.1 255.255.255.0
!
interface Vlan3
 ip address 10.10.3.254 255.255.255.0
!
interface Vlan6
 ip address 10.9.6.1 255.255.255.0
 ipx network 1560C encapsulation SAP
!
interface Vlan7
 ip address 10.10.1.1 255.255.255.0
!
interface Vlan4090
 ip address 20.20.1.1 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 10.9.2.160
ip route 10.9.1.0 255.255.255.0 Vlan2
ip route 10.9.3.0 255.255.255.0 10.9.2.160
ip route 10.9.6.0 255.255.255.0 Vlan6
ip route 10.10.0.0 255.255.0.0 10.9.1.15
ip route 10.10.3.0 255.255.255.0 Vlan3


I can hit everything from my Side 10.10.0.0 to 10.9.1.0
I can hit 10.9.2.223 ( but nothing else unless we place route add statements on the window boxes in the 10.9.2.x network)

Regards


0
Comment
Question by:cogit
2 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 22640577
I would bet that the default gateway for 10.9.2.x hosts = PIX firewall and not the L3 core switch?
You have to change their default to 10.9.2.223.

BTW, never add static routes to directly connected networks. The device is smart enough to know what is connected where
ip route 10.9.1.0 255.255.255.0 Vlan2 <== not necessary
ip route 10.9.6.0 255.255.255.0 Vlan6
ip route 10.10.3.0 255.255.255.0 Vlan3
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

This article will cover setting up redundant ISPs for outbound connectivity on an ASA 5510 (although the same should work on the 5520s and up as well).  It’s important to note that this covers outbound connectivity only.  The ASA does not have built…
From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …

896 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now