GroupStudy.com GroupStudy.com - A virtual community of network engineers
Home BookStore StudyNotes Links Archives StudyRooms HelpWanted Discounts Login
RE: VPN3000 Problem [7:84204] posted 02/12/2004
[Chronological Index] [Thread Index] [Top] [Date Prev][Date Next] [Thread Prev][Thread Next] 
So is permitting ICMP at the PIX even needed?  The pix and 3000 are
connecting across the Internet.  I do not own or have access to the
3000.


-----Original Message-----
From: nobody@xxxxxxxxxxxxxx [mailto:nobody@xxxxxxxxxxxxxx] 
Sent: Thursday, February 12, 2004 10:43 AM
To: cisco@xxxxxxxxxxxxxx
Subject: RE: VPN3000 Problem [7:84204]

As Joe Brunner mentioned; this is normal behavior.

I have another question.  Why have you chosen to put the VPN 3000 behind
the
PIX and not level with the PIX.

Have you thought of putting a LAN gateway behind the both the VPN and
the
PIX and an edge router in front?

                         +++++++++++++
                         +edge router+
                         +++++++++++++
                         Public IP
             ++++++++++++             ++++++++++++
             +PIX 515   +             +VPN 3005  +
             ++++++++++++             ++++++++++++
                          private IP

                         +++++++++++++
                         +LAN GATEWAY+
                         +++++++++++++
Lan gateway has static (more specific) routes to tunnel subnets and a
default route to PIX inside.

Joseph Brunner wrote:
> 
> let me get this straight, whats behind the pix can't talk to
> the client until, the client tries to ping the networks behind
> this pix ?
> 
> If this is case it is because
> 
> 1. you're running "split tunneling" with the vpn clients,
> 2. you're clients don't learn the network via the vpn 
> 3. until they try to ping first.
> 
> This is normal behavior. VPN clients using a network list (with
> multiple subnets) will not "learn" their vpn routes until THEY
> try to hit that subnet first. I often tell my vpn users "ping
> my ip" from a dos prompt so they will learn my subnet as
> "reachable via their tunnel" and then they will subsequently
> come here for return traffic
> 
> :)
**Please support GroupStudy by purchasing from the GroupStudy Store:
http://shop.groupstudy.com
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=84302&t=84204
--------------------------------------------------
**Please support GroupStudy by purchasing from the GroupStudy Store:
http://shop.groupstudy.com
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html