Re: PIX remote through 3005 central to remote networks

neilcperry · ‎12-17-2004

I have a PIX 501 at home and connect to my 3005 concentrator at work. I can access all network resources local to the inside/private interface of the concentrator but nothing beyond that LAN at work.

I can ping remote devices from the concentrator itself but nothing from clients coming through the vpn at my home. I've also verified that the 501 acl's are correct to not nat traffic destined for these remote subnets.

Any guidance is greatly appreciated.

Thanks,

Neil

gfullage · ‎12-19-2004

This sounds like a routing issue, in that the remote networks behind the 501 don't know how to get back to your network behind the 501.

You don't mention if this is a LAN-to-LAN tunnel or an EzVPn tunnel. If the former then the entire network behind the 3005 needs to have a route back to your local network, that route has to eventually send the traffic back to the private interface of the 3005. If it is an EzVPN tunnel, then the remote 3005 networks don't have a route back to the pool of addresses that the 3005 is allocating to the 501, again they will need this route and it will have to eventually route the packets back to the private interface of the 3005.

neilcperry · ‎12-20-2004

I just thought of what this might be. I had the routes for both the EzVPN and the LAN-to-LAN segments on all routers, including the layer 3 core switch at the host. From home I could access remote subnets physically local to the VPN concentrator but nothing traversing the WAN.

I probably need to call our WAN provider and make sure they have the VPN subnets in their BGP tables for the host site. This is a new service we are under now so it's another possible cause of problems I have to work into the steps.

Thanks for your input and I'll definitely be back on here if that wasn't the issue.