Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
494
Views
0
Helpful
5
Replies

3005 and Routing

Go to solution
todd.kelly
Level 1
Level 1

‎08-10-2006 07:49 AM - edited ‎03-09-2019 03:52 PM

I have a 3005 with a public address of 209.3.157.86. It is attached to a switch that is on a single VLAN where our internet connect comes into. My PIX outside int is also attached to this switch. The default GW is 66.77.117.65, but whenever I attempt to add 66.77.117.65 as the default gateway the concentrator tells me 'The default Gateway is not on a local network'. What am I not doing right?

Thanks

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to abdel_n

‎08-13-2006 04:26 PM

Todd

It seems that the view of the topology is inconsistent. If all devices (ISP, PIX, concentrator) are in the same VLAN then they are in the same broadcast domain. And logically they should be in the same subnet. On routers Cisco has the concept of secondary addressing so that you can have multiple different subnets on the same broadcast domain. But I do not think that this feature exists on the concentrator.

I am a bit confused about the topology of your network and the traffic flow that you desire. From the ISP normal network traffic flows from ISP to PIX, through PIX to the internal network. What about traffic from the ISP to the concentrator? Should it be from ISP directly to the concentrator (bypassing the PIX) or is it some other way?

If traffic should flow from ISP directly to the concentrator then it seems logical that the concentrator outside interface should be in the same subnet as the ISP. How did the IP address on the concentrator get chosen? And why was it put into a different subnet? Or does traffic from the ISP take an indirect path to the concentrator? Perhaps you can clarify this?

HTH

Rick

HTH

Rick

View solution in original post

0 Helpful
5 Replies 5

Go to solution
abdel_n
Level 1
Level 1

‎08-11-2006 03:16 AM

Hi,

I think there something wrong, all ip's on a single vlan must belong to the same network/subnetwork.

Are vpn3000 public interface, PIX outside interface and your ISP connected to the single switch VLAN?

Your default gateway should be the other side of a point to point connection with your vpn3000 (even through a switch VLAN as the switch make P2P connection between src and dst ports).

0 Helpful

Go to solution
todd.kelly
Level 1
Level 1
In response to abdel_n

‎08-11-2006 05:45 AM

Thanks for the reply.

Yes to your question. The PIX outside and the ISP are both on the same subnet. The 3005 is not . All these devices are on a single vlan. I thought maybe I could get this to work, but I can use the management address of the switch they are attached to. I have console access to the switch so connecting to the switch is not an issue.

0 Helpful

Go to solution
abdel_n
Level 1
Level 1
In response to todd.kelly

‎08-11-2006 06:57 PM

The concentrator and the PIX and the ISP gateway should belong to the the same subnetwork. So you have to change your concentrator public interface to ip from the subnet of your PIX outside and ISP gateway.

According to "switch best practices" it is not recommended to use the management vlan in the production envirement, you should evaluate the risk of sharing your management traffic with outside users.

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to abdel_n

‎08-13-2006 04:26 PM

Todd

It seems that the view of the topology is inconsistent. If all devices (ISP, PIX, concentrator) are in the same VLAN then they are in the same broadcast domain. And logically they should be in the same subnet. On routers Cisco has the concept of secondary addressing so that you can have multiple different subnets on the same broadcast domain. But I do not think that this feature exists on the concentrator.

I am a bit confused about the topology of your network and the traffic flow that you desire. From the ISP normal network traffic flows from ISP to PIX, through PIX to the internal network. What about traffic from the ISP to the concentrator? Should it be from ISP directly to the concentrator (bypassing the PIX) or is it some other way?

If traffic should flow from ISP directly to the concentrator then it seems logical that the concentrator outside interface should be in the same subnet as the ISP. How did the IP address on the concentrator get chosen? And why was it put into a different subnet? Or does traffic from the ISP take an indirect path to the concentrator? Perhaps you can clarify this?

HTH

Rick

HTH

Rick
0 Helpful

Go to solution
todd.kelly
Level 1
Level 1
In response to Richard Burts

‎08-13-2006 05:27 PM

I have the public interface on the same subnet as the the outside interface and the ISP. I was able to obtain an address on this subnet and all is working fine now. Thanks for your assistance.

0 Helpful
Customers Also Viewed These Support Documents