All I am in need of help. We have a Cisco 3030 concentrator that does not proxy arp for the clients ip addresses that we give out via Cisco ACS radius.
That is a simple look at how it is setup. The concentrator sits on the private side of 172.29.128.0 if we have the radius box handing out 172.29.128.0 addresses to the clients everything works fine. But we do not want this, we want our clients to be given 172.31.50 address space when we do this we can vpn in but get no where. I have a sniffer in place and also doing a snoop on the checkpoint when we vpn in and get 172.31.50.1 as a client address the firewall ask via arp whois 172.31.50.1 and the concentrator does not answer up for this ip. What is strange if we put the dhcp scope back to 172.29.128.0 and the firewall ask via arp whom is 172.29.128.1 the concentrator answers for that.
Question can you give out a different dhcp address from a radius box than what is assigned to the concentrator and have this work?
Of course explaining one's network to someone is always a difficult thing. Anyway the concentrator sits in a DMZ of the the firewall. With the private 172.31 in a vlan with another interface off the firewall with a 172.31 ip address also. The client wants all traffic going through the firewall we could not convince them to let us connect directly to the internal network.
Right now we do have a static route on a cat5500RSM saying to get to 172.31 go to the firewall address whom is locally attached to the concentrator and the firewall routes it there. But as I stated when the firewall gets the packet on the private interface it ask via arp whom is 172.31.50.1(client address) and the concentrator doesn't answer for it. We have the tunnel default gateway pointing to the firewall.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :