Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
861
Views
5
Helpful
20
Replies

Routing between sites that use site-to-site VPN

Go to solution
GRANT GATHAGAN
Level 1
Level 1

‎11-02-2006 11:44 PM - edited ‎02-21-2020 02:42 PM

I have two 515's running 7.2(1) that have a site-to-site VPN set up somewhat as follows:

main site subnets---main site router-------PIX1____Public IP's____PIX2------remote site

The main site router: CAT6506 with SUP1A engine

Subnets listed in SUP engine:

VLAN SUB1

IP address 180.x.1.x.255.254.0

VLAN SUB2

IP address 180.x.2.x.255.254.0

VLAN SUB3

IP address 180.x.3.x.255.254.0

VLAN SUB4

IP address 180.x.4.x.255.255.240

PIX1 is on subnet SUB4(180.20.4.2)

Remote site subnet: 192.168.1.0/24

The SUP engine's default route is directed to another router that reaches the internet through a different public IP subnet.

Any host on SUB4 can reach any host on the remote site as long as the SUB4 host's default gateway is the inside int of PIX1 (180.20.4.2).

Any SUB4 host that uses 180.20.4.1(router address) as the default gateway cannot communicate with any of the remote hosts, but can communicate with any host in any subnet of the main site.

Any remote hosts can communicate with any host on SUB4, regardless of the SUB4 host's gateway address.

Any remote hosts can communicate with the main site router on SUB4, but cannot reach any of the other subnet interfaces configured on the router.

I added a static route on the SUP engine:

ip router 192.168.1.0 255.255.255.0 180.20.4.2

That didn't help.

The SUP engine uses EIGRP to learn of the other main site subnets reached via routers, so I added the remote subnet to that:

router eigrp 10

redistribute static

network 180.20.0.0

network 192.168.1.0

no auto-summary

no eigrp log-neighbor-changes

No luck there, either.

I can't help but think that I'm missing something very basic.

Any help is truly appreciated

Labels:
0 Helpful
20 Replies 20

Go to solution
network.king
Level 4
Level 4
In response to network.king

‎11-08-2006 10:11 AM

Hi,

Just wanted to know , when there is no such access-list configured in the pix , why is that the access-group is applied . Any way having a access-group without a access-list is permit any , so no issues with that .

Also add this " sysopt connection permit-ipsec" and check and pls provide me the trace

1.from Sub4 with default as router

2.From sub2 or sub3 to remote ip

regards

vanesh k

0 Helpful

Go to solution
GRANT GATHAGAN
Level 1
Level 1
In response to network.king

‎11-08-2006 02:16 PM

Hi vanesh k,

At one time in the process of setting these up I had given my self non-vpn access through the PIX's . I took out the access-list, but not the access-group statement.

Now an odd thing: as it happens I was looking at that same sysopt statement.

When I add it to the configuration I get no error message, but it does not show up on the configuration after applying it and saving the configuration.

This happens on both PIX's.

I'm accessing the PIX's via telnet, since I couldn't immediately see where the statement would be added via the ASDM.

Is there any other statement I need to add to allow the sysopt statement to be added ?

0 Helpful

Go to solution
network.king
Level 4
Level 4
In response to GRANT GATHAGAN

‎11-08-2006 09:06 PM

Hi

I think it should not be a problem as you have a open access-list .Can u pls give me the trace to find wheter its a routing issue

regards

vanesh k

0 Helpful

Go to solution
GRANT GATHAGAN
Level 1
Level 1
In response to network.king

‎11-17-2006 06:53 PM

Sorry about the delay in getting back to this. Unfortunately this is not the only issue I have to deal with on my network.

I've uploaded the current configs for both PIX's and the traceroute results from switches on each of the main site's subnets.

On the positive side, I can reach the remote site from any of the subnets of the main site.

The bad news: Nothing has changed on the remote site. I can only reach resources on SUB4 that have PIX_1 as their default gateway.

All traceroute attempts on the remote pix are sent out on the outside interface, which leads me to believe that "route inside" statements are going to be neccesary on the remote pix.

I guess the trick is going to be finding out which interface to use and what the route will be.

Preview file
4 KB
0 Helpful

Go to solution
network.king
Level 4
Level 4
In response to GRANT GATHAGAN

‎11-19-2006 12:17 AM

Hi ,

Thanx for ur reply .There is no "route inside " statements required in the remote pix , as all the segments what you try to reach are in outside . Your route outside default is fine .

Pls try removing this statement :

no ip verify reverse-path interface outside

from remote pix.

Also pls provide a trace from the remote PC to any subnets in main pix whose default is diff from pix

regards

vanesh k

Go to solution
GRANT GATHAGAN
Level 1
Level 1
In response to network.king

‎11-29-2006 12:19 AM

Sorry to be so long getting back to this.

This is getting strange now.

From the remote site, I'm able to access my servers on subnets SUB2, SUB3, SUB4, and SUB5.

I'm able to access virtually every resource on the main subnet, SUB1, but of the seven Netware servers I have on that subnet, I'm only able to reach three.

So I guess it's down to a server onfiguration issue, as opposed a VPN or routing issue.

For what it's worth, I removed that "ip verify reverse-path interface outside" statement from the remote configuration.

Thanks so much to both vanesh k and Jason for your help on this.

I'm going to consider this solved and shall rate it.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents