Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
574
Views
0
Helpful
2
Replies

New IPSec Tunnel - Vendor cannot ping our network behind our Firewall

Erwin.Roxas@pwps.com
Level 1
Level 1

‎01-30-2020 01:34 PM

Hi Network Experts, 

 

Need your help guys,

 

I built a a new IPsec VPN Site-tosite tunnel between Vendor(IBM) Firewall and our company Firewall. VPN tunnel is up and all Phase 2 is up. 

 

- I can ping from our server 10.192.61.166 to Vendor servers = 10.113.172.9 & 10.113.173.6

- But, from Vendor Servers cannot ping from 10.113.172.9 & 10.113.173.6 to our Server 10.192.61.166 

 

I checked with Fortigate TAC, From Vendor side to our Firewall - packets is passing through on our Firewall but cannot reach 10.192.61.166. 

 

See attached for Network Diagram. 

 

Fortigate TAC, Saying there is an routing issue Layer 3 Switch issue or Layer 2 Cisco Switch  on our side. But not sure what issue is it as I tried to isolate with complete separate network to IPSec VPN tunnel to our company network I can ping successfully the IP 10.192.61.166. 

 

Cisco 4500 Catalyst Layer 3 Switch:

 

router ospf 1
redistribute connected
redistribute static
network 10.192.0.0 0.0.0.3 area 0
network 10.192.60.224 0.0.0.3 area 0
network 10.192.60.248 0.0.0.3 area 0
network 10.192.61.0 0.0.0.127 area 0
network 10.192.61.128 0.0.0.127 area 0
network 10.192.61.0 0.0.0.255 area 0
network 10.192.62.0 0.0.1.255 area 0
network 10.192.64.0 0.0.3.255 area 0
network 172.17.1.0 0.0.0.255 area 0
network 172.17.2.0 0.0.0.7 area 0
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 10.192.60.225
ip route 10.65.88.0 255.255.255.128 10.192.60.225
ip route 10.65.88.5 255.255.255.255 170.224.54.254
ip route 10.113.172.0 255.255.255.0 10.192.60.225
ip route 10.113.172.1 255.255.255.255 169.63.78.146
ip route 10.113.173.0 255.255.255.0 10.192.60.225
ip route 10.192.64.0 255.255.252.0 Vlan101
ip route 172.17.1.0 255.255.255.0 Vlan300

 

interface Vlan102
description Server Farm Lan
ip address 10.192.61.129 255.255.255.128 ---> VLAN 102  where 10.192.61.166 belongs.

 

On Layer 2 Cisco 2960 Switch:

 

interface Vlan102
ip address 10.192.61.159 255.255.255.128

 

interface GigabitEthernet2/0/30 ---> interface in Cisco Switch 10.192.61.166 
switchport access vlan 102

 

ip default-gateway 10.192.61.129
ip http server
ip http secure-server
access-list 3 permit 10.192.0.0 0.0.255.255
access-list 3 deny 172.17.0.0 0.0.255.255
access-list 3 permit any

 

I am not sure if there is a missing route or vlan issue here, Can you please help me?  Thanks a lot in advance.

 

 

 

Labels:
0 Helpful
2 Replies 2

Muhammad Awais Khan
Cisco Employee
Cisco Employee

‎01-30-2020 02:05 PM

Hi,

 

Are you able to ping your server from your from company firewall ? 

 

Is this 10.192.60.225 your firewall interface ?

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame

‎01-30-2020 08:39 PM

If the Traffic to and from Tunnel, you need to look at the ACL which was permitted.

 

what is the Server ( check Server inside FW - by default enabled most of the windows new environment)?

 

Try traceroute and ping to the server from far end network ( and analyze the monitor on your FW)

 

Note: we may be missed here in your diagram, so attach again please to understand better.

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card