Hey all. I am new to the Cisco world and even newer to the 3005 concentrator. I appear to have something out of place. Hope you guys can help. Here it is:
I have a T1 coming into a cisco 2600 which is directly connected to the Public side of a Watchguard Firewall (To be replaced pretty soon). I want to introduce a VPN 3005 into the mix. Here is what I do.
I have a 2950-12 that the router, firewall, and vpn 3005 connect their ports to. I then have the private interfaces of the firewall and 3005 plugged into 4006 that is the private network. I think I have configured the VPN concentrator correctly. The public ip address and subnet mask are valid and the default gateway is set to the 2600. The firewall is set the same way.
I can ping the firewall from the outside world, but not the 3005. I know that my information is probably far from complete, but I was hoping that someone could help down the right path.
Are you *sure* the Public interface address is valid? Are you *sure* the default gateway is set to the 2600's IP address, or have you set it to just the Public interface (which relies on proxy-ARP's and may not work)? Was it the default gateway or the tunnel default gateway you set to the 2600, make sure it's the default gateway (the tunnel default gateway should point to your inside router)? From the 3005 (under Administration - Ping), can you ping the 2600 interface? How far can you ping outbound, this'll give you an indication of the problem?
I can ping the ip address of the 2600 and various hosts out on the internet from the 3005 web interface. I am getting to the web interface through the private IP address. We have a class C license with 254 public ip address available to us. I know nothing about the 2600 and how it is configured. It was installed by the company that provides us with the T1 feed. I don't even know the password to get into it to take a look at the config file. I know I am probably making a mountain out of a mole hill but I am not seeing a clear picture.
I actually want to renig on my last post. Where the firewall is cloning the 2600's ip address is on the private side. We are doing that so all of our traffic from our private and public hosts go through the firewall.
Also, is ICMP disable on the VPN Concentrator by default? Sorta like the PIX's and such? that may be the issue.
I think your right. I just took a closer look at my firewall. It appears that it is cloning the ip address of the router. My only problem, I think that this entry is necessary for the current way that we have this setup. I removed the setting from the firewall and nothing worked. Any thoughts? I can add static routes in the firewall. I was wondering if this is what I need to do get rid of the cloned address and yet still have traffic pass from the router to the firewall.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :