05-09-2007 12:04 PM - edited 03-05-2019 03:58 PM
I have 2 sites which are connected via a VPN tunnel.
Site A is the main HQ
Site B is in Cali
in Site B we have a 4503 which has several 3560s connected to the 4503 via fiber trunks.
when trying to communicated with the VPN by means of Ping or telnet we can not connect to it. we can connect to all of the 3560s which are pluged in to the 4503.
I think the command which is allowing the 3560s to work is the ip classless command. but there is no ip classless command for the 4503 running 12.2 IOS
if I connect to one of the 3560s in site B I can telnet and ping the 4503 just fine.
what am I doing wrong
05-09-2007 12:09 PM
Verify the default gateway on the 3560s and match it on the 4503 with the command
ip default-gateway [gateway ip]
Have you tried turning routing on the 4503 ?
Type 'ip routing' in config mode and then try the ip classless command. However, ip classless won't give you the ability to communicate to other subnets.
You need a gateway in the 4503 switch or a device on that segment serving as an ip proxy.
05-09-2007 12:10 PM
yes there is an ip default-gateway command and it is the same ip as on teh 3560s
ip routing is not on.
05-09-2007 12:14 PM
Verify the Layer 3 information on the 4503 is on the same VLAN as the Layer 3 information on the 3560s.
Do you mind posting configs ?
05-09-2007 12:36 PM
05-09-2007 12:41 PM
Very simple config.
Can the 4503 ping 192.168.60.1 ?
What device is 192.168.60.1 ?
Can you post show ip route from both the 3560 and 4503 ?
05-10-2007 04:48 AM
yes the 4503 can ping anything on the 192.168.60.0 network. The .1 is the gate way which is a Checkpoint firewall which leads to the 10.10.1.0 network which is where we are doing all our testing from.
the ony route in the 4503 is the 192.168.60.1
05-10-2007 05:54 AM
I am a little confused. You are doing test from the Checkpoint firewall at the HQ or the Cali office?
Is the VPN tunnel established on the Checkpoint?
05-11-2007 05:11 AM
I was testing from a PC on the network at Site A the only way I can get to the 4503 is to telnet in to a 3560 in Site B then connect to it. All the 3560s working fine to Telnet to. just not the 4503 and they are all on the same subnet.
05-10-2007 05:57 AM
I recommend verifying the CheckPoint logs and check for packets being drop to/from the 4503 address.
05-11-2007 05:19 AM
ok will have them look at the Checkpoint
05-23-2007 04:51 AM
Hi bdillon,
any luck yet? I have the same problem. 3560's give no problem, only my 4503. we also use checkpoint firewall, but there is nothing to see there.
regards,
Gerard
05-23-2007 06:12 AM
I think there is something with the default-gateway. if I do the command sh ip route on my 3560 I see the configured default gateway.
If I do this on my 4503 I get a message no gateway of last resort. although I did configure the ip default-gateway command
regards,
gerard
05-23-2007 06:33 AM
sorted the problem
ip route 0.0.0.0 0.0.0.0 <
regards,
gerard
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: