Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

VPN users can not access remote LAN when traffic is cutover to MPLS interfa

Hi, all,

We have two offices one in San Jose and the other one in LA, the network is very simple, each office has a PIX 515 and has one L3 subnet directly attached to firewall's inside interface, the subnets are 192.168.1.0/24 and 192.168.2.0/24, respectively. Each firewall has two public IP addresses, one public address dedicated to Internet access and IPsec RA access, and the other public IP is dedicated for site2site VPN, the address pool for remote access VPN in SJ office is 10.10.10.0/24, while remote access pool in LA office is taken from 192.168.2.0/24 space. So everything worked fine, when employees VPN in to either firewall, they can access Email/files in either location.

We now decided to get rid of the site2site VPN and go with MPLS VPN service provided by ATT, the MPLS VPN service was attached to third interface (nameif MPLS) in firewall, we changed the static route on firewall such that traffic between two offices are routed to interface MPLS, the cutover is successful, means that hosts in both offices can communicate with each other fine.

The only problem is remote access users can only access servers in their local office but can not access servers (or ping) in remote office, I think somehow firewall does not route traffic coming from RA VPN to the new (MPLS) interface, but I can not figure out why is so, because the routing looks correct, and NAT translation also OK.

If you guys have any suggestions, please guide, I can post the relevant configuration if that helps.

Thanks,

Jian

4 REPLIES

Re: VPN users can not access remote LAN when traffic is cutover

show the configuration.

Community Member

Re: VPN users can not access remote LAN when traffic is cutover

Hi, configuration is attached, this is working configuration (before cut over) RA VPN traffic will come in from outside interface and route to site2site interface, the only change to make traffic cutover to mpls interface is replace "route site2site 192.168.20.0/24" with "route mpls 192.168.20.0/24"

Re: VPN users can not access remote LAN when traffic is cutover

access-list NO-NAT-MPLS ip object-group newyork_corp 10.10.37.0 255.255.255.0

nat (mpls) 0 access-list NO-NAT-MPLS

Community Member

Re: VPN users can not access remote LAN when traffic is cutover

Hi, thanks a lot, that is what I thought to, I will try that during next maintenance window, and let you know.

231
Views
0
Helpful
4
Replies
CreatePlease to create content