Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

6506/VPN routing problem

I apologize ahead of time for the long post

I'm having a problem setting up a PIX-to-PIX VPN connection, but I believe the issue is a routing problem, not a VPN problem.

My network's main piece of gear is a 6506 with a SUP1A supervisor engine.

The network has several subnets, all of which are defined by the SUP1A similar to the following:

vlan SUB1

ip address 190.155.2.1

vlan SUB2

ip address 190.155.4.1

Etc.....

One of the subnets is located in a remote building.

Up to this point, we've used a AIRONET 350 wireless bridge to connect them to the main network. Their Internet access was through our main Internet access.

Recently, a new high-speed Internet connection was installed in the remote building. Eventually this will be the main Internet connection for our entire enterprise, but for the present, only the group in the remote building is so configured.

To maintain their access to the rest of the enterprise, we came up with the plan of putting their network behind a set of PIX's, connecting a set of PIX's to service what will eventually be *our* main Internet connection ,and establishing a PIX-to-PIX VPN to give them access to the rest of the enterprise.

I use the Aironet 350 as the mechanism by which I connect to *our* set of PIX's in the remote building.

Hopefully the following illustrates our setup to the point where it's understandable.

SUB4(190.155.8.0/28-----CAT6506SUP(190.155.8.1)--350 bridge---(190.155.8.2)PIX1<----PUB IP--->PIX2(192.168.1.1)---remote LAN(192.168.1.0/24)

SUB1(190.155.2.0/23)

SUB2(190.155.4.0/23)

SUB3(190.155.6.0/23)

Both set's of PIX's are 515's with 128MB RAM running v7.2. Each set consists of one PIX with an unrestricted license and one failover PIX.

If I telnet into the 6506 SUP engine I can ping everything in the other building's network.

If I telnet into the 6506 itself, I cannot.

From my computer, I can ping anything in any of the subnets listed in the SUP engine, but nothing in the other building's subnet.

From the other building I can ping anything in the same subnet that my PIX is on (SUB3), including the SUP engine, but nothing on any other subnet in my building.

If I configure a computer to point to my PIX's inside interface as the default gateway, I can ping anything on the remote building's subnet.

Salient configuration details ( I hope):

6506 SUP entries:

vlan SUB1

ip address 190.155.2.1

vlan SUB2

ip address 190.155.4.1

vlan SUB3

ip address 190.155.6.1

vlan SUB4

ip address 190.155.8.1

6506 SUP routes listed:

0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx

(this route leads to a third set of PIX's with a public IP on a completely different public IP subnet)

ip route 192.168.1.0 255.255.255.0 190.155.8.2

router eigrp 10

redistribute static

network 190.155.0.0

network 192.168.1.0 (tried with and without this)

6505 switch:

0.0.0.0 0.0.0.0 190.155.2.1

I have tried both with and without having entries in the remote PIX's configuration for the subnets on my side, as well as with and without the entry for the remote subnet on my PIX.

PIX1(my PIX)

name 190.155.2.0 SUB1

name 190.155.4.0 SUB2

name 190.155.6.0 SUB3

name 190.155.8.0 SUB4

name 192.168.1.0 OTHERSIDE

route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1

route inside SUB1 255.255.254.0 190.155.8.1 1

route inside SUB2 255.255.254.0 190.155.8.1 1

route inside SUB3 255.255.254.0 190.155.8.1 1

route inside SUB4 255.255.255.240 190.155.8.1 1

route inside OTHERSIDE 255.255.255.0 190.155.8.2 1

PIX2 (remote PIX)

name 190.155.2.0 SUB1

name 190.155.4.0 SUB2

name 190.155.6.0 SUB3

name 190.155.8.0 SUB4

name 192.168.1.0 OTHERSIDE

route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1

route inside SUB1 255.255.254.0 190.155.8.1 1

route inside SUB2 255.255.254.0 190.155.8.1 1

route inside SUB3 255.255.254.0 190.155.8.1 1

route inside SUB4 255.255.255.240 190.155.8.1 1

Virtually all of my router and PIX knowledge is self-taught/OJT, so I'm fully aware of the possibility that I have missed some very basic aspect of configuring this.

137
Views
0
Helpful
0
Replies