04-14-2010 07:03 AM
Hi,
I have a layer 3 switch with several vlans.
On vlan 5 (1.1.1.0/24) there is a router that has ipsec l2l with a remote site.
The problem is that, my users, have as default gateway the interface vlan 5 ip address (1.1.1.1./24) so the cannot access the remote sites through the ipsec router.
If i change the default gateway to the router's internal if (1.1.1.2/24) everything is working as expected.
Is there a way to trick this so the users wont have to change their default gw ?
Thanks.
04-14-2010 07:48 AM
Sounds like this could be a routing issue. What does your routing table look like on your L3 switch?
04-14-2010 08:07 AM
There is a default route pointing to my asa firewall.
I have also inserted a route for the remote site to point to the ipsec router
e.g 2.2.2.0 255.255.255.0 1.1.1.2
where 2.2.2.0/24 is the lan subnet of my remote site and 1.1.1.2 the ipsec router.
04-14-2010 08:12 AM
From a user if you traceroute to the remote VPN subnet, where does it stop? Are your users in the same vlan as your IPSec router and your ASA?
04-14-2010 09:12 AM
Yes my users and the ipsec router are on the same vlan.
traceroute to 2.2.2.10 (remote lan)
1 -> 1.1.1.2 (ipsec router)
and then i get a destination unreachable..although my vpn tunnel is up and running...
From the other site, 2.2.2.0/24 i can ping 1.1.1.2 (ipsec router's internal if) but not any other host on 1.1.1.0/24.
Thanks for your help.
04-14-2010 09:20 AM
Can any users that are connected to your switch, but not in the same subnet as the IPSec router and the ASA get across the VPN tunnel?
04-14-2010 11:44 AM
The ASA is connected to the L3 Switch through a routed port.
At the moment the crypto access list permits pc's that are on the same vlan with the ipsec router. So unfortunately i can't test your scenario.
04-14-2010 11:58 AM
Does your ASA have a route for the remote VPN subnet pointing to the router? What do the logs on the router say when you try and go across the tunnel?
04-14-2010 12:52 PM
Yes it does, i can see matches in my crypto access list but still no connectivity...
04-14-2010 02:30 PM
Do you have an ACL on the inside interface of the ASA? Can you also put together a simple diagram?
04-14-2010 07:46 PM
When users choose the VPN router as their default GW the connection works, so I don't think the ASA is involved. Is 1.1.1.2 the inside or outside interface of the VPN router? or does it only have 1?
04-15-2010 12:49 AM
ASA
|
--------------------------
|LAYER 3 SWITCH| ------- (internal if - ip address 1.1.1.2/24)IPSec Router Part of Vlan5 (ext if 10.10.10.1) = vpn tunnel = Remote Router.
--------------------------
| | |
vlan3 vlan4 vlan5(1.1.1.1/24)
Users on vlan 5 have as default gw the 1.1.1.1. If i change the default gw to my ipsec router's internal ip 1.1.1.2 i have connectivity.
On my layer 3 Switch i have an ip route command like ip route 2.2.2.0 255.255.255.0 1.1.1.2 where 2.2.2.0 is the remote router's lan.
The ipsec router has 2 interfaces as shown above.
04-15-2010 01:18 AM
ok, i have some new feedback on this.
When the users change their default gateway to 1.1.1.2 (ipsec router's internal if) i have connectivity but only from the remote site.
Meaning,users on the remote lan 2.2.2.0/24 can access user pc's on 1.1.1.0/24 but not vice versa.
It seems that even changing the default gateway for my users to 1.1.1.2 they cannot access 2.2.2.0/24...
04-15-2010 03:21 AM
Seems like some ACL in the ASA is blocking the traffic
Could you please share the routing table of the gateway routers at both sites.
04-15-2010 01:35 PM
It seems that there is a problem with my ISP an their ability to route 3G Traffic.
Thank you all for you help.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: