Connection issue across subnets

I have 2 sites which are connected via a VPN tunnel.

Site A is the main HQ

Site B is in Cali

in Site B we have a 4503 which has several 3560s connected to the 4503 via fiber trunks.

when trying to communicated with the VPN by means of Ping or telnet we can not connect to it. we can connect to all of the 3560s which are pluged in to the 4503.

I think the command which is allowing the 3560s to work is the ip classless command. but there is no ip classless command for the 4503 running 12.2 IOS

if I connect to one of the 3560s in site B I can telnet and ping the 4503 just fine.

what am I doing wrong

Edison Ortiz
Hall of Fame Mentor

Verify the default gateway on the 3560s and match it on the 4503 with the command

ip default-gateway [gateway ip]

Have you tried turning routing on the 4503 ?

Type 'ip routing' in config mode and then try the ip classless command. However, ip classless won't give you the ability to communicate to other subnets.

You need a gateway in the 4503 switch or a device on that segment serving as an ip proxy.

yes there is an ip default-gateway command and it is the same ip as on teh 3560s

ip routing is not on.

Edison Ortiz
Hall of Fame Mentor

Verify the Layer 3 information on the 4503 is on the same VLAN as the Layer 3 information on the 3560s.

Do you mind posting configs ?

sure here they are

Edison Ortiz
Hall of Fame Mentor

Very simple config.

Can the 4503 ping ?

What device is ?

Can you post show ip route from both the 3560 and 4503 ?

yes the 4503 can ping anything on the network. The .1 is the gate way which is a Checkpoint firewall which leads to the network which is where we are doing all our testing from.

the ony route in the 4503 is the

I am a little confused. You are doing test from the Checkpoint firewall at the HQ or the Cali office?

Is the VPN tunnel established on the Checkpoint?

I was testing from a PC on the network at Site A the only way I can get to the 4503 is to telnet in to a 3560 in Site B then connect to it. All the 3560s working fine to Telnet to. just not the 4503 and they are all on the same subnet.

Edison Ortiz
Hall of Fame Mentor

I recommend verifying the CheckPoint logs and check for packets being drop to/from the 4503 address.

ok will have them look at the Checkpoint

Hi bdillon,

any luck yet? I have the same problem. 3560's give no problem, only my 4503. we also use checkpoint firewall, but there is nothing to see there.



I think there is something with the default-gateway. if I do the command sh ip route on my 3560 I see the configured default gateway.

If I do this on my 4503 I get a message no gateway of last resort. although I did configure the ip default-gateway command



sorted the problem

ip route <>