08-06-2007 04:50 AM
hello...
I created a L2L tunnel b/w a VPN 3005 to Juniper NetScreen ...the tunnel is up but we both are unable to ping the allowed ip...another thing, i only see rx traffic from him but no tx traffic from me...suspecting keep alives...
this is the second tunnel i built on this VPN 3005 box, this first has no issues with what i am experiencing now...
can any assist on this issue....thanks in advance
Solved! Go to Solution.
08-06-2007 11:24 AM
Hi
Okay, that is your problem. When the 192.168.10.10 pc tries to send traffic back to the 172.16.10.10 PC the traffic first goes to the Pix. But because you are running v6.x of the pix it is not allowed to send the traffic back out the same interface it came in on and it needs to do this to send the traffic to the VPN 3005.
With pix v7.x you can do this but a solution to your problem without having to upgrade would be to add a static route on your 192.168.10.10 PC saying to get to 172.16.10.10 go to 192.168.10.15.
HTH
Jon
08-06-2007 05:43 AM
could this be an internal routing issue on your side? It sounds like traffic from your side isn't even making it across the tunnel, while his is.. right?
Clear the tunnel, and try to initiate from your side to see if traffic you originate can bring it up.
08-06-2007 10:30 AM
im not sure what may be blocking it...i attached a drawing of the l2l tunnel design...the tunnel is supposed to allow the 172 network to reach 192 network....i do have a PIX attached to the same network as the 192, could that be blocking traffic?...i check for documentation but couldnt find any...
thanks in advance
08-06-2007 10:32 AM
08-06-2007 11:09 AM
Hi
What is the default gateway of the PC 192.168.10.10.
Also what version of software are you running on the pix.
Jon
08-06-2007 11:13 AM
the dg is .20....the version of the pix is 6.3...
08-06-2007 11:24 AM
Hi
Okay, that is your problem. When the 192.168.10.10 pc tries to send traffic back to the 172.16.10.10 PC the traffic first goes to the Pix. But because you are running v6.x of the pix it is not allowed to send the traffic back out the same interface it came in on and it needs to do this to send the traffic to the VPN 3005.
With pix v7.x you can do this but a solution to your problem without having to upgrade would be to add a static route on your 192.168.10.10 PC saying to get to 172.16.10.10 go to 192.168.10.15.
HTH
Jon
08-06-2007 11:28 AM
ok, that make sense...can i just add a static route to the pix stating: route 172.16.10.10 255.255.255.255 192.168.10.15 ?
thanks
08-06-2007 11:42 AM
Hi
No you can't because your pix will not route the traffic back out of the same interface it was received on unless your pix is running version 7.x code.
You need to add the static route to the client PC.
Jon
08-06-2007 11:46 AM
ill give this a try and update with results...
again, thanks for your assistance...
08-06-2007 07:04 PM
there is one more option if you're feeling adventurous...enable rip on the inside interface of the concentrator - rip v1 - and RRI. then enable the rip listener on xp.
08-06-2007 10:23 PM
"if you're feeling adventurous..enable rip "
Now that would be adventurous !! :)
08-09-2007 04:44 AM
Jon Marshall...you are the man...adding the route statement worked!...I remember reading about this PIX not allowing traffic back out the same interface, but forgot all about it....
Thanks again!
08-09-2007 05:07 AM
No problem. Thanks for letting us know it worked and for the ratings.
Glad to be of help.
Jon
08-12-2007 05:08 AM
m
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide