routing from new vlan

Unanswered Question
Jun 21st, 2007
User Badges:


I have a routing problem from a new subnet and vlan I have setup. The network setup is as follows:

4006 layer 2 and 3 switch serving vlan 1 on LAN behind PIX. On this side of PIX we also have networks across WAN. On other side of PIX we have vpn tunnels across internet to other PIX's on our corporate networks. VLAn 1 is live network and can reach all required networks on both sides of PIX.

here's the problem: I have setup a new vlan on the switch on our LAN and can ping items on our lan vlan 1 and across the WAN this side of the PIX. I can not ping servers through the pix vpn tunnel to boxes the other side of the internet vpn tunnels. If I do a tracert from the new vlan it gets as far as the 4006 switch on our network (the gateway for this vlan) an no further. The switch has the IP route for the networks the other side of the PIX vpn tunnels and we know this works because existing vlan uses this fine. I have also updated the correct access list on the PIX to allow traffic from new vlan subnet to the networks the other side of vpn tunnels.

So put simply I think I'm right in saying the switch is not routing the new vlan correctly when the destination is a network the other side of the PIx or the PIx is not allowing this traffic

what next? and thanks in advance for help

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Edison Ortiz Thu, 06/21/2007 - 06:44
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

The remote network(s) need to know about your new VLAN. Are you using static or dynamic routing between sites ?

w.halliday Thu, 06/21/2007 - 06:51
User Badges:

yup that would make sense

our router currently advertises static routes explicitly in its config with ip route command. is this what you were asking?

w.halliday Thu, 06/21/2007 - 06:56
User Badges:

wouldn't i see the traffic getting beyond our switch

amohabir1 Thu, 06/21/2007 - 07:30
User Badges:

You might want to look at your access-list hit count to see if it is increasing. You can also look at the firewall syslog messages to make sure the host that is on the new vlan is making it to the firewall interface and attempting to route across the vpn.

You might aslo want to try the

clear crypto ipsec sa and

clear crypto isakmp sa commands on

each side to drop the tunnel and clear the security associations.

Edison Ortiz Thu, 06/21/2007 - 07:39
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

The remote router(s) need to have an ip route (similar to the one from your working VLAN) pointing to your network.


This Discussion