ā10-25-2022 02:20 AM - last edited on ā10-27-2022 10:21 PM by Translator
Hi
I have stumbled into some routing problems on our ISR2900.
We use this 2900 to run all our ipsec tunnels.
Yesterday we configured a new tunnel to a external company.
client -> tunnel -> 2900 -> 2900-inside -> Cisco ASA -> ping local networks = OK
client -> tunnel -> 2900 -> 2900-outside -> Palo Alto -> ping internet = NOT OK
I see the return trafikk comes back to the 2900-outside from Palo Alto. I did a packet capture on the 2900-outside to confirm this.
When i ping the client from a DMZ host (terminated on the Palo Alto) i get the "Destination net unreachable"
When i ping from the local networks i get the ping respons from the client.
Why is the traffic entering 2900-inside routed into the tunnel from the local networks and not from the Palo Alto via 2900-outside ?
Regards,
Geir
Solved! Go to Solution.
ā10-26-2022 05:11 AM
Hi
I went over the config and prepared it for posting here.
When i was almost ready to post the code i discovered an old acl that was mapped to the outside interface,
I saw that the client ip range was missing. Added the missing ip range and i got it all working.
Thanks for helping me out.
Regards,
Geir
ā10-25-2022 08:16 AM
if you disable the newly configured tunnel, is that works expected?
we also need some diagrams the one mentioned, config also some route output.
ā10-25-2022 08:30 AM
can you draw topology ?
ā10-26-2022 12:05 AM
Hi
The topology:
Regards,
Geir
ā10-26-2022 12:23 AM - last edited on ā10-27-2022 10:23 PM by Translator
Hello,
post the full running configuration
(sh run)
of the 2900 router.
ā10-26-2022 04:43 AM - last edited on ā10-27-2022 10:24 PM by Translator
client -> tunnel -> 2900 -> 2900-outside -> Palo Alto -> ping internet = NOT OK
here you need to make subnet of client NAT (overload) in Palo FW to make it reach internet, remember the internet know only OUT of Palo IP not know the IP of client
ā10-26-2022 05:11 AM
Hi
I went over the config and prepared it for posting here.
When i was almost ready to post the code i discovered an old acl that was mapped to the outside interface,
I saw that the client ip range was missing. Added the missing ip range and i got it all working.
Thanks for helping me out.
Regards,
Geir
ā10-26-2022 05:21 AM
glad your issue is solved
good job friend
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide