Re: RA VPN users can not ping remote LAN

From: Jian Gu (guxiaojian@gmail.com)
Date: Sat Jul 19 2008 - 20:47:51 ART

• Next message: Dane Newman: "Re: RA VPN users can not ping remote LAN"
• Previous message: Joseph Brunner: "RE: RA VPN users can not ping remote LAN"
• Maybe in reply to: Jian Gu: "RA VPN users can not ping remote LAN"
• Next in thread: Dane Newman: "Re: RA VPN users can not ping remote LAN"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi, Joe,

I have that configured, otherwise we would not have connectivity across MPLS
link if this line is not there.

Jian

On Sat, Jul 19, 2008 at 4:39 PM, Joseph Brunner <joe@affirmedsystems.com>
wrote:

> Go ahead and give us a
>
>
> static (inside,mpls) 10.10.10.0 10.10.10.0 255.255.255.0 (in SJ)
>
> or
>
> static (outside,mpls) 10.10.10.0 10.10.10.0 255.255.255.0 (in SJ)
>
> You can troubleshoot these quickly with debugging logging. You'll see the
> failure of connections in the logs...
>
> -Joe
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> Jian
> Gu
> Sent: Saturday, July 19, 2008 6:33 PM
> To: Cisco certification
> Subject: RA VPN users can not ping remote LAN
>
> Hi, all,
>
> This is a real world scenario, we have two offices one in San Jose and the
> other one in LA, the network is very simple, each office has a PIX 515 and
> has one L3 subnet directly attached to firewall's inside interface, the
> subnets are 192.168.1.0/24 and 192.168.2.0/24, respectively. Each firewall
> has two public IP addresses, one public address dedicated to Internet
> access
> and IPsec RA access, and the other public IP is dedicated for site2site
> VPN,
> the address pool for remote access VPN in SJ office is 10.10.10.0/24,
> while
> remote access pool in LA office is taken from 192.168.2.0/24 space. So
> everything worked fine, when employees VPN in to either firewall, they can
> access Email/files in either location.
>
> We now decided to get rid of the site2site VPN and go with MPLS VPN service
> provided by ATT, the MPLS VPN service was attached to third interface
> (nameif MPLS) in firewall, we changed the static route on firewall such
> that
> traffic between two offices are routed to interface MPLS, the cutover is
> successful, means that hosts in both offices can communicate with each
> other
> fine.
>
> The only problem is remote access users can only access servers in their
> local office but can not access servers (or ping) in remote office, I think
> somehow firewall does not route traffic coming from RA VPN to the new
> (MPLS)
> interface, but I can not figure out why is so, because the routing looks
> correct, and NAT translation also OK.
>
> If you guys have any suggestions, please guide, I can post the relevant
> configuration if that helps.
>
> Thanks,
> Jian
>
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: Dane Newman: "Re: RA VPN users can not ping remote LAN"
• Previous message: Joseph Brunner: "RE: RA VPN users can not ping remote LAN"
• Maybe in reply to: Jian Gu: "RA VPN users can not ping remote LAN"
• Next in thread: Dane Newman: "Re: RA VPN users can not ping remote LAN"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Aug 04 2008 - 06:11:55 ART