Re: internal websites issue from Piotr Matusiak on 2013-07-18 (Ccielab archives 07/2013)

From: Piotr Matusiak <pitt2k_at_gmail.com>
Date: Thu, 18 Jul 2013 11:09:06 +0200

Hi Sameer,

Looks like you have two gateways in your network and you try to pass
traffic coming from your GRE tunnel thu the FW for inspection. This is not
gonna work since FW is a stateful device and tries to setup a connection
first. In such case what I always recommend is putting a router in FW DMZ,
terminate GRE on the router and then point the traffic coming from the
tunnel to the FW DMZ interface. Then connection is created, inspection
takes place and everything is fine.
Let me know if I understood your case properly.

Regards,

--
Piotr Matusiak
CCIE #19860 (R&S, Security), CCSI #33705
Technical Instructor
website: www.MicronicsTraining.com
blog: www.ccie1.com
If you can't explain it simply, you don't understand it well enough -
Albert Einstein
2013/7/18 sameer inam <i_sameer_at_hotmail.com>
> Gents ,
>
> I m having  an issue  to access the internal website Via GRE tunnel ,
>  case is
> like that .. we have DC router facing internet and Cisco FW 5510
>  connected to
> direct internet as well...but both device inside network is connected  on
> same
> vlan 567 .. DC router internal ip is 172.30.0.50/22 and FW inside network
> 172.30.0.1... servers gateway at this site is FW 172.30.0.1...
>
> what I did is build the GRE tunnel between KSA and DC router ..  so when
>  ever
> any traffic coming from remote end to access my server  ( 172.30.2.83) at
> DC
> it will send the traffic  to FW coz of gateway .routing everything working
> fine ping reply and tracert look good ..
>
> but when ever KSA users trying to access this internal server its keep
>  show
> connecting ...and then stopped ....I tried different MTU size but doesn't
> work
> .
>
> interesting part is when I build the IPSEC from  DC fw  to KSA router
> application working fine from KSA ...
>
> any help on that matter much appreciated.
>
> Kind regards,
>
> Sameer
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net

Received on Thu Jul 18 2013 - 11:09:06 ART

This archive was generated by hypermail 2.2.0 : Thu Aug 01 2013 - 08:45:50 ART