Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
360
Views
0
Helpful
2
Replies

Concentrator - which way did it route?

CwnAnnwn
Level 1
Level 1

‎09-08-2005 01:56 PM

Sometimes I just need to leave well enough alone...

Yesterday, as I was attempting to clean up some configuration issues on a PIX, I came across an issue with my Concentrator 3005 - Namely that it was assigned an address of 172.26.221.1/24 and had an additional entry in the PIX routing table for 172.26.220.0/24. Being an orderly person I determined to resolve the situation and move the client address pool into the x.x.221.x range so I could reduce the number of routes that are in all of my routers. The problems developed almost immediately. When a client connected to the Concentrator the log indicated that the system iterated through the range of addresses flagging each of them as already in use on the network! Realizing that this wasn't going to work right away I reverted the pool to the original address range - only to have the system allow users to connect but send them nowhere!

So back to the drawing board I went. I isolated the address in use issue by changing the netmask on the interface to a 29 bit mask. I then set the pool to the 172.26.221.0/25 network. Now I am in the same situation as before, that the client can connect, but not go anywhere in the network.

I am totally baffeled by this unit. I can ping the internal interface of the Concentrator from the inside network, and from the Concentrator I can ping an internal server. Why can't I get the tunnel to work?

Thoughts and tips are greatly appreciated.

Labels:
0 Helpful
2 Replies 2

aacole
Level 5
Level 5

‎09-09-2005 11:22 AM

Well apart from the advice `if it aint broke dont try to fix it' (sorry!!) all I can think of is that this sounds like a routing issue.

It reads like you have somehow changed the pool of IP addresses that the clients get allocated. If so do the network devices on your internal network know how to route to that new address range.

Without knowing more about your network topology that would be my first guess, but this could explain why they connect to the concentrator but have lost connectivity.

The other issue that comes to mind, could the new address range be denied in an access list somewhere?

Andy

0 Helpful

CwnAnnwn
Level 1
Level 1
In response to aacole

‎09-09-2005 05:34 PM

Too true. If it ain't broke, don't break it - dork!

After staring at it what feels like forever I suddenly had the switch hit - the interface on the PIX that the Concentrator connects to should not be the route gateway in the PIX for items comming back into the Concentrator!

So a few static changes here and there, and a minor route entry and the system works!

voila:

Concentrator

ip address = 172.16.253.254/29

default gateway = (outside address)

tunnel gateway = 172.16.253.252

PIX

ip address dmz 172.16.253.252 255.255.255.248

static (inside,dmz) 172.16.0.0 172.16.0.0 netmask 255.255.128.0 0 0

static (inside,dmz) 172.16.128.0 172.16.128.0 netmask 255.255.192.0 0 0

route dmz 172.16.253.0 255.255.255.128 172.16.253.254 1

Thanks for the food for thought. Usually is a user error isn't it?

0 Helpful
Customers Also Viewed These Support Documents