From: Joseph Brunner (joe@affirmedsystems.com)
Date: Sun Jul 20 2008 - 01:52:44 ART
Are we sure the MPLS provider routes 10.10.10.0/24 in your VRF? What are you
static natting this to out interface "MPLS"?
-Joe
_____
From: Jian Gu [mailto:guxiaojian@gmail.com]
Sent: Sunday, July 20, 2008 12:42 AM
To: Joseph Brunner
Cc: Paul Dardinski; ccielab@groupstudy.com
Subject: Re: RA VPN users can not ping remote LAN
It is running 7.x
On Sat, Jul 19, 2008 at 8:45 PM, Joseph Brunner <joe@affirmedsystems.com>
wrote:
All Good points, Master Paul;
One question I have now, is what Version Pix 515 is this? Hopefully 7.x that
permits intra/inter anything.
-Joe
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of Paul
Dardinski
Sent: Saturday, July 19, 2008 10:06 PM
To: Jian Gu
Cc: ccielab@groupstudy.com
Subject: RE: RA VPN users can not ping remote LAN
The intra hairpin worked previously w/site-to-site, right? Assuming that to
be the case then only delta is change of interface (which I assume is routed
correctly for the new site-to-site between offices). As you haven't changed
any of the IP addies and only added a new int, take a look at your sec level
on the new int and ensure its not lower then the ra. Also, ensure you have
inter-interface traffic permitted (I'm assuming you had intra-interface
permitted before).
PD (#16842 RS/Sec)
=======================================================================
Paul Dardinski - CCIE #16842 (RS & Security)
CCNP, CCDA, MCSE, MBA
Cisco Wireless Specialist
Marshall Communications
20098 Ashbrook Place
Suite 260
Ashburn, VA 20147
(571) 223-2010 (Ext 105)
FAX: (571) 223-2012
"Systems Integration...IS...the Total
Solution"
=======================================================================
WARNING - THIS E-MAIL TRANSMISSION IS CONFIDENTIAL.
This e-mail transmission (including any accompanying attachments) contains
confidential information, which is intended for the named addressee only.
If you are not the intended recipient, you are hereby notified that any use,
dissemination, distribution or reproduction of this e-mail is prohibited. If
you have received this e-mail in error please contact me immediately at
pauld@marshallcomm.com. Thank you.
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of Jian
Gu
Sent: Saturday, July 19, 2008 6:33 PM
To: Cisco certification
Subject: RA VPN users can not ping remote LAN
Hi, all,
This is a real world scenario, we have two offices one in San Jose and the
other one in LA, the network is very simple, each office has a PIX 515 and
has one L3 subnet directly attached to firewall's inside interface, the
subnets are 192.168.1.0/24 and 192.168.2.0/24, respectively. Each firewall
has two public IP addresses, one public address dedicated to Internet access
and IPsec RA access, and the other public IP is dedicated for site2site VPN,
the address pool for remote access VPN in SJ office is 10.10.10.0/24, while
remote access pool in LA office is taken from 192.168.2.0/24 space. So
everything worked fine, when employees VPN in to either firewall, they can
access Email/files in either location.
We now decided to get rid of the site2site VPN and go with MPLS VPN service
provided by ATT, the MPLS VPN service was attached to third interface
(nameif MPLS) in firewall, we changed the static route on firewall such that
traffic between two offices are routed to interface MPLS, the cutover is
successful, means that hosts in both offices can communicate with each other
fine.
The only problem is remote access users can only access servers in their
local office but can not access servers (or ping) in remote office, I think
somehow firewall does not route traffic coming from RA VPN to the new (MPLS)
interface, but I can not figure out why is so, because the routing looks
correct, and NAT translation also OK.
If you guys have any suggestions, please guide, I can post the relevant
configuration if that helps.
Thanks,
Jian
This archive was generated by hypermail 2.1.4 : Mon Aug 04 2008 - 06:11:55 ART