RE: RA VPN users can not ping remote LAN

From: Tony Varriale (tvarriale@flamboyaninc.com)
Date: Sun Jul 20 2008 - 02:27:26 ART

• Next message: Tony Varriale: "RE: RA VPN users can not ping remote LAN"
• Previous message: Dale Shaw: "Re: OT: topologies provided in lab"
• Maybe in reply to: Jian Gu: "RA VPN users can not ping remote LAN"
• Next in thread: Tony Varriale: "RE: RA VPN users can not ping remote LAN"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This isn't a hairpin issue if I read this correct (different security
interfaces). If he was using hairpining previously he's on >7.2 as that is
when the command was introduced.

If you'd be kind to send all the configs with sensitive info removed we can
help you out.

Tony

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of Jian
Gu
Sent: Saturday, July 19, 2008 11:42 PM
To: Joseph Brunner
Cc: Paul Dardinski; ccielab@groupstudy.com
Subject: Re: RA VPN users can not ping remote LAN

It is running 7.x

On Sat, Jul 19, 2008 at 8:45 PM, Joseph Brunner <joe@affirmedsystems.com>
wrote:

> All Good points, Master Paul;
>
> One question I have now, is what Version Pix 515 is this? Hopefully 7.x
> that
> permits intra/inter anything.
>
> -Joe
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> Paul
> Dardinski
> Sent: Saturday, July 19, 2008 10:06 PM
> To: Jian Gu
> Cc: ccielab@groupstudy.com
> Subject: RE: RA VPN users can not ping remote LAN
>
> The intra hairpin worked previously w/site-to-site, right? Assuming that
to
> be the case then only delta is change of interface (which I assume is
> routed
> correctly for the new site-to-site between offices). As you haven't
changed
> any of the IP addies and only added a new int, take a look at your sec
> level
> on the new int and ensure its not lower then the ra. Also, ensure you have
> inter-interface traffic permitted (I'm assuming you had intra-interface
> permitted before).
>
> PD (#16842 RS/Sec)
>
> =======================================================================
>
> Paul Dardinski - CCIE #16842 (RS & Security)
> CCNP, CCDA, MCSE, MBA
> Cisco Wireless Specialist
> Marshall Communications
> 20098 Ashbrook Place
> Suite 260
> Ashburn, VA 20147
> (571) 223-2010 (Ext 105)
> FAX: (571) 223-2012
>
> "Systems Integration...IS...the Total
> Solution"
>
> =======================================================================
> WARNING - THIS E-MAIL TRANSMISSION IS CONFIDENTIAL.
> This e-mail transmission (including any accompanying attachments) contains
> confidential information, which is intended for the named addressee only.
> If you are not the intended recipient, you are hereby notified that any
> use,
> dissemination, distribution or reproduction of this e-mail is prohibited.
> If
> you have received this e-mail in error please contact me immediately at
> pauld@marshallcomm.com. Thank you.
>
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> Jian
> Gu
> Sent: Saturday, July 19, 2008 6:33 PM
> To: Cisco certification
> Subject: RA VPN users can not ping remote LAN
>
> Hi, all,
>
> This is a real world scenario, we have two offices one in San Jose and the
> other one in LA, the network is very simple, each office has a PIX 515 and
> has one L3 subnet directly attached to firewall's inside interface, the
> subnets are 192.168.1.0/24 and 192.168.2.0/24, respectively. Each firewall
> has two public IP addresses, one public address dedicated to Internet
> access
> and IPsec RA access, and the other public IP is dedicated for site2site
> VPN,
> the address pool for remote access VPN in SJ office is 10.10.10.0/24,
> while
> remote access pool in LA office is taken from 192.168.2.0/24 space. So
> everything worked fine, when employees VPN in to either firewall, they can
> access Email/files in either location.
>
> We now decided to get rid of the site2site VPN and go with MPLS VPN
service
> provided by ATT, the MPLS VPN service was attached to third interface
> (nameif MPLS) in firewall, we changed the static route on firewall such
> that
> traffic between two offices are routed to interface MPLS, the cutover is
> successful, means that hosts in both offices can communicate with each
> other
> fine.
>
> The only problem is remote access users can only access servers in their
> local office but can not access servers (or ping) in remote office, I
think
> somehow firewall does not route traffic coming from RA VPN to the new
> (MPLS)
> interface, but I can not figure out why is so, because the routing looks
> correct, and NAT translation also OK.
>
> If you guys have any suggestions, please guide, I can post the relevant
> configuration if that helps.
>
> Thanks,
> Jian
>
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: Tony Varriale: "RE: RA VPN users can not ping remote LAN"
• Previous message: Dale Shaw: "Re: OT: topologies provided in lab"
• Maybe in reply to: Jian Gu: "RA VPN users can not ping remote LAN"
• Next in thread: Tony Varriale: "RE: RA VPN users can not ping remote LAN"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Aug 04 2008 - 06:11:55 ART