Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
343
Views
0
Helpful
5
Replies

routing from new vlan

w.halliday
Level 1
Level 1

‎06-21-2007 06:40 AM - edited ‎03-03-2019 05:32 PM

Hi

I have a routing problem from a new subnet and vlan I have setup. The network setup is as follows:

4006 layer 2 and 3 switch serving vlan 1 on LAN behind PIX. On this side of PIX we also have networks across WAN. On other side of PIX we have vpn tunnels across internet to other PIX's on our corporate networks. VLAn 1 is live network and can reach all required networks on both sides of PIX.

here's the problem: I have setup a new vlan on the switch on our LAN and can ping items on our lan vlan 1 and across the WAN this side of the PIX. I can not ping servers through the pix vpn tunnel to boxes the other side of the internet vpn tunnels. If I do a tracert from the new vlan it gets as far as the 4006 switch on our network (the gateway for this vlan) an no further. The switch has the IP route for the networks the other side of the PIX vpn tunnels and we know this works because existing vlan uses this fine. I have also updated the correct access list on the PIX to allow traffic from new vlan subnet to the networks the other side of vpn tunnels.

So put simply I think I'm right in saying the switch is not routing the new vlan correctly when the destination is a network the other side of the PIx or the PIx is not allowing this traffic

what next? and thanks in advance for help

Labels:
0 Helpful
5 Replies 5

Edison Ortiz
Hall of Fame
Hall of Fame

‎06-21-2007 06:44 AM

The remote network(s) need to know about your new VLAN. Are you using static or dynamic routing between sites ?

0 Helpful

w.halliday
Level 1
Level 1
In response to Edison Ortiz

‎06-21-2007 06:51 AM

yup that would make sense

our router currently advertises static routes explicitly in its config with ip route command. is this what you were asking?

0 Helpful

w.halliday
Level 1
Level 1
In response to w.halliday

‎06-21-2007 06:56 AM

wouldn't i see the traffic getting beyond our switch

0 Helpful

amohabir1
Level 1
Level 1
In response to w.halliday

‎06-21-2007 07:30 AM

You might want to look at your access-list hit count to see if it is increasing. You can also look at the firewall syslog messages to make sure the host that is on the new vlan is making it to the firewall interface and attempting to route across the vpn.

You might aslo want to try the

clear crypto ipsec sa and

clear crypto isakmp sa commands on

each side to drop the tunnel and clear the security associations.

0 Helpful

Edison Ortiz
Hall of Fame
Hall of Fame
In response to w.halliday

‎06-21-2007 07:39 AM

The remote router(s) need to have an ip route (similar to the one from your working VLAN) pointing to your network.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card