Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

3005 and Routing

I have a 3005 with a public address of 209.3.157.86. It is attached to a switch that is on a single VLAN where our internet connect comes into. My PIX outside int is also attached to this switch. The default GW is 66.77.117.65, but whenever I attempt to add 66.77.117.65 as the default gateway the concentrator tells me 'The default Gateway is not on a local network'. What am I not doing right?

Thanks

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Silver

Re: 3005 and Routing

Todd

It seems that the view of the topology is inconsistent. If all devices (ISP, PIX, concentrator) are in the same VLAN then they are in the same broadcast domain. And logically they should be in the same subnet. On routers Cisco has the concept of secondary addressing so that you can have multiple different subnets on the same broadcast domain. But I do not think that this feature exists on the concentrator.

I am a bit confused about the topology of your network and the traffic flow that you desire. From the ISP normal network traffic flows from ISP to PIX, through PIX to the internal network. What about traffic from the ISP to the concentrator? Should it be from ISP directly to the concentrator (bypassing the PIX) or is it some other way?

If traffic should flow from ISP directly to the concentrator then it seems logical that the concentrator outside interface should be in the same subnet as the ISP. How did the IP address on the concentrator get chosen? And why was it put into a different subnet? Or does traffic from the ISP take an indirect path to the concentrator? Perhaps you can clarify this?

HTH

Rick

5 REPLIES
New Member

Re: 3005 and Routing

Hi,

I think there something wrong, all ip's on a single vlan must belong to the same network/subnetwork.

Are vpn3000 public interface, PIX outside interface and your ISP connected to the single switch VLAN?

Your default gateway should be the other side of a point to point connection with your vpn3000 (even through a switch VLAN as the switch make P2P connection between src and dst ports).

New Member

Re: 3005 and Routing

Thanks for the reply.

Yes to your question. The PIX outside and the ISP are both on the same subnet. The 3005 is not . All these devices are on a single vlan. I thought maybe I could get this to work, but I can use the management address of the switch they are attached to. I have console access to the switch so connecting to the switch is not an issue.

New Member

Re: 3005 and Routing

The concentrator and the PIX and the ISP gateway should belong to the the same subnetwork. So you have to change your concentrator public interface to ip from the subnet of your PIX outside and ISP gateway.

According to "switch best practices" it is not recommended to use the management vlan in the production envirement, you should evaluate the risk of sharing your management traffic with outside users.

Hall of Fame Super Silver

Re: 3005 and Routing

Todd

It seems that the view of the topology is inconsistent. If all devices (ISP, PIX, concentrator) are in the same VLAN then they are in the same broadcast domain. And logically they should be in the same subnet. On routers Cisco has the concept of secondary addressing so that you can have multiple different subnets on the same broadcast domain. But I do not think that this feature exists on the concentrator.

I am a bit confused about the topology of your network and the traffic flow that you desire. From the ISP normal network traffic flows from ISP to PIX, through PIX to the internal network. What about traffic from the ISP to the concentrator? Should it be from ISP directly to the concentrator (bypassing the PIX) or is it some other way?

If traffic should flow from ISP directly to the concentrator then it seems logical that the concentrator outside interface should be in the same subnet as the ISP. How did the IP address on the concentrator get chosen? And why was it put into a different subnet? Or does traffic from the ISP take an indirect path to the concentrator? Perhaps you can clarify this?

HTH

Rick

New Member

Re: 3005 and Routing

I have the public interface on the same subnet as the the outside interface and the ISP. I was able to obtain an address on this subnet and all is working fine now. Thanks for your assistance.

115
Views
0
Helpful
5
Replies