We have a cisco 2600 at the remote site. We can connect to it via VPN connection. There is a machine, which people can always get to it from the same subnet/remote network. Now they want to access that machine from the network. For some reasons, we cannot ping two of ip addresses (that machine plus another machine)in that subnet from our network; but we can ping and telnet from the 2600 router. Both machines connect to a HP4000 switch, which connects to the cisco 2600 fastethernet 0/1. The default gateway looks fine. We can see both ip and MAC address in the arp table in cisco 2600. One of machines shows SNAP type in ARP table. Others show ARPA. We can ping other machines in that subnet (probably about 40 machines, including PCs and printers, etc.). Could this be encapslation problem? Does anyone know the problem? Any suggestions?
In cisco 2600, I can ping and traceroute both machines because they are directly connected to a HP switch via a 2600 Ethernet port. But anything outside of that subnet, the trace will go through the VPN tunnel and go back and forth on that VPN /30 ip. I even manually insert a static route in the routing table, of which did not work. For some reasons, I cannot login to those two machines; so I was not able to do any ping or trace from these two machines.
Thanks for the info. What I believe the packet forward take place in the VPN tunnel instead of normal path. Could you please ensure the ACL for the VPN does not include these hosts ? Or please advise the condition of when, what address will be pass through the VPN and not.
Below is a doc. which describe the sequence which the packet out-going from an interface.
Without configuration it is quite difficult to provide a solid ans., you may need to troubleshhot yourself by ping, trace and fine tune the ACL. However, if you cannot access the router, you cannot modify the config. and test.
But you said you can ping from the router, please try to check if you can provide the "show access-list", "show VPDN", "show ip route", etc. related output which describe the VPN status and the access-list for VPN.
We are pleased to announce availability of Beta software for 16.6.3. 16.6.3 will be the second rebuild on the 16.6 release train targeted towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are looking for early feedback from custome...