Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

Help

Hello,

We have a cisco 2600 at the remote site. We can connect to it via VPN connection. There is a machine, which people can always get to it from the same subnet/remote network. Now they want to access that machine from the network. For some reasons, we cannot ping two of ip addresses (that machine plus another machine)in that subnet from our network; but we can ping and telnet from the 2600 router. Both machines connect to a HP4000 switch, which connects to the cisco 2600 fastethernet 0/1. The default gateway looks fine. We can see both ip and MAC address in the arp table in cisco 2600. One of machines shows SNAP type in ARP table. Others show ARPA. We can ping other machines in that subnet (probably about 40 machines, including PCs and printers, etc.). Could this be encapslation problem? Does anyone know the problem? Any suggestions?

thanks for your help,

Gene

4 REPLIES
Silver

Re: Help

Ping provide the config. of 2600 and the successful & failure trace route result.

How about these two machines ping to other hosts ? successful or fail ?

New Member

Re: Help

Hi Jack,

In cisco 2600, I can ping and traceroute both machines because they are directly connected to a HP switch via a 2600 Ethernet port. But anything outside of that subnet, the trace will go through the VPN tunnel and go back and forth on that VPN /30 ip. I even manually insert a static route in the routing table, of which did not work. For some reasons, I cannot login to those two machines; so I was not able to do any ping or trace from these two machines.

thanks the help,

Silver

Re: Help

Thanks for the info. What I believe the packet forward take place in the VPN tunnel instead of normal path. Could you please ensure the ACL for the VPN does not include these hosts ? Or please advise the condition of when, what address will be pass through the VPN and not.

Below is a doc. which describe the sequence which the packet out-going from an interface.

Please check it for reference.

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml

Without configuration it is quite difficult to provide a solid ans., you may need to troubleshhot yourself by ping, trace and fine tune the ACL. However, if you cannot access the router, you cannot modify the config. and test.

But you said you can ping from the router, please try to check if you can provide the "show access-list", "show VPDN", "show ip route", etc. related output which describe the VPN status and the access-list for VPN.

Hope this helps.

Silver

Re: Help

Hello,

Can you check the default route on these two machines. They should have the 2600 as default route. If you have route to them this does not mean they can route back to you.

Therefore, try to trace to your network from those machines. Ask somebody to do the trace and send you the output.

As I said I feel the problem is the default route on those two machines is incorrect.

Let me know if this solves the problem and rate if this helps,

Regards,

102
Views
0
Helpful
4
Replies
CreatePlease to create content