From: Dane Newman (dane.newman@gmail.com)
Date: Sat Jul 19 2008 - 20:47:04 ART
I read this briefly because I'm bored here but could this be because
the other site does not have a route back?so we need to do reverse
route injection and redistribute into routing domain or but static
routes?
Sent from my iPhone
On Jul 19, 2008, at 7:39 PM, "Joseph Brunner"
<joe@affirmedsystems.com> wrote:
> Go ahead and give us a
>
>
> static (inside,mpls) 10.10.10.0 10.10.10.0 255.255.255.0 (in SJ)
>
> or
>
> static (outside,mpls) 10.10.10.0 10.10.10.0 255.255.255.0 (in SJ)
>
> You can troubleshoot these quickly with debugging logging. You'll
> see the
> failure of connections in the logs...
>
> -Joe
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
> Of Jian
> Gu
> Sent: Saturday, July 19, 2008 6:33 PM
> To: Cisco certification
> Subject: RA VPN users can not ping remote LAN
>
> Hi, all,
>
> This is a real world scenario, we have two offices one in San Jose
> and the
> other one in LA, the network is very simple, each office has a PIX
> 515 and
> has one L3 subnet directly attached to firewall's inside interface,
> the
> subnets are 192.168.1.0/24 and 192.168.2.0/24, respectively. Each
> firewall
> has two public IP addresses, one public address dedicated to
> Internet access
> and IPsec RA access, and the other public IP is dedicated for
> site2site VPN,
> the address pool for remote access VPN in SJ office is
> 10.10.10.0/24, while
> remote access pool in LA office is taken from 192.168.2.0/24 space. So
> everything worked fine, when employees VPN in to either firewall,
> they can
> access Email/files in either location.
>
> We now decided to get rid of the site2site VPN and go with MPLS VPN
> service
> provided by ATT, the MPLS VPN service was attached to third interface
> (nameif MPLS) in firewall, we changed the static route on firewall
> such that
> traffic between two offices are routed to interface MPLS, the
> cutover is
> successful, means that hosts in both offices can communicate with
> each other
> fine.
>
> The only problem is remote access users can only access servers in
> their
> local office but can not access servers (or ping) in remote office,
> I think
> somehow firewall does not route traffic coming from RA VPN to the
> new (MPLS)
> interface, but I can not figure out why is so, because the routing
> looks
> correct, and NAT translation also OK.
>
> If you guys have any suggestions, please guide, I can post the
> relevant
> configuration if that helps.
>
> Thanks,
> Jian
>
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Mon Aug 04 2008 - 06:11:55 ART