01-30-2020 01:34 PM
Hi Network Experts,
Need your help guys,
I built a a new IPsec VPN Site-tosite tunnel between Vendor(IBM) Firewall and our company Firewall. VPN tunnel is up and all Phase 2 is up.
- I can ping from our server 10.192.61.166 to Vendor servers = 10.113.172.9 & 10.113.173.6
- But, from Vendor Servers cannot ping from 10.113.172.9 & 10.113.173.6 to our Server 10.192.61.166
I checked with Fortigate TAC, From Vendor side to our Firewall - packets is passing through on our Firewall but cannot reach 10.192.61.166.
See attached for Network Diagram.
Fortigate TAC, Saying there is an routing issue Layer 3 Switch issue or Layer 2 Cisco Switch on our side. But not sure what issue is it as I tried to isolate with complete separate network to IPSec VPN tunnel to our company network I can ping successfully the IP 10.192.61.166.
Cisco 4500 Catalyst Layer 3 Switch:
router ospf 1
redistribute connected
redistribute static
network 10.192.0.0 0.0.0.3 area 0
network 10.192.60.224 0.0.0.3 area 0
network 10.192.60.248 0.0.0.3 area 0
network 10.192.61.0 0.0.0.127 area 0
network 10.192.61.128 0.0.0.127 area 0
network 10.192.61.0 0.0.0.255 area 0
network 10.192.62.0 0.0.1.255 area 0
network 10.192.64.0 0.0.3.255 area 0
network 172.17.1.0 0.0.0.255 area 0
network 172.17.2.0 0.0.0.7 area 0
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 10.192.60.225
ip route 10.65.88.0 255.255.255.128 10.192.60.225
ip route 10.65.88.5 255.255.255.255 170.224.54.254
ip route 10.113.172.0 255.255.255.0 10.192.60.225
ip route 10.113.172.1 255.255.255.255 169.63.78.146
ip route 10.113.173.0 255.255.255.0 10.192.60.225
ip route 10.192.64.0 255.255.252.0 Vlan101
ip route 172.17.1.0 255.255.255.0 Vlan300
interface Vlan102
description Server Farm Lan
ip address 10.192.61.129 255.255.255.128 ---> VLAN 102 where 10.192.61.166 belongs.
On Layer 2 Cisco 2960 Switch:
interface Vlan102
ip address 10.192.61.159 255.255.255.128
interface GigabitEthernet2/0/30 ---> interface in Cisco Switch 10.192.61.166
switchport access vlan 102
ip default-gateway 10.192.61.129
ip http server
ip http secure-server
access-list 3 permit 10.192.0.0 0.0.255.255
access-list 3 deny 172.17.0.0 0.0.255.255
access-list 3 permit any
I am not sure if there is a missing route or vlan issue here, Can you please help me? Thanks a lot in advance.
01-30-2020 02:05 PM
Hi,
Are you able to ping your server from your from company firewall ?
Is this 10.192.60.225 your firewall interface ?
01-30-2020 08:39 PM
If the Traffic to and from Tunnel, you need to look at the ACL which was permitted.
what is the Server ( check Server inside FW - by default enabled most of the windows new environment)?
Try traceroute and ping to the server from far end network ( and analyze the monitor on your FW)
Note: we may be missed here in your diagram, so attach again please to understand better.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide