1. Home
  2. Cisco Systems
  3. PIX VPN help.
  4. Page 2

PIX VPN help.

Now we might be getting some where! You cannot load balance a VPN connection.

Do you have a rule in the LB saying any traffic destined for 10.10.1.X to go to pix 10.98.74.1 only?

Are you sure the LB isn't doing some kind of NAT?

What is the 192.168.10.X's default gateway?

From the Pix can you ping the server on 192.168.10.X?

Reply to
Brian V
Loading thread data ...

LAN-------ROUTER-----PIX-----INTERNET/VPN------PIX----LAN

Thanks for sticking this out!! This connection would not be balanced.

- Only traffic that is balanced would have to NAT'd to a 10.98.74.0 IP would be load balanced.

ie. static (inside,outside) b.b.b.205 10.98.74.210 netmask

255.255.255.255 0 0

- There are other IPSEC tunnels working flawlessly. The only difference between them are that this one that is not working uses 192.168.70.0 - the rest use the 192.169.10.0 network.

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . : IP Address. . . . . . . . . . . . : 192.168.10.30 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 192.168.10.1

Yes. pixfirewall# ping 192.168.10.30 192.168.10.30 response received -- 0ms 192.168.10.30 response received -- 0ms 192.168.10.30 response received -- 0ms

Reply to
J1C

LAN-------ROUTER-----PIX-----INTERNET/VPN------PIX----LAN

When you do a traceroute from the server 192.168.10.X to 10.10.1.1 does it follow the right path? I think your path should be:

192.168.10.1 (layer 3 switch?) 10.98.74.2 (your load balancer) 10.98.74.1 (inside of Pix)
Reply to
Brian V

LAN-------ROUTER-----PIX-----INTERNET/VPN------PIX----LAN

I get...

  1. 192.168.10.1 (load balancer)
  2. 216.x.x.x (IP of my ISP)
  3. 216.x.x.x (IP of my ISP)
  4. 204.x.x.x (IP of WorldCom/MCI) reports host unreachable
Reply to
J1C

LAN-------ROUTER-----PIX-----INTERNET/VPN------PIX----LAN

LAN------Router------Internet/VPN------Router-----LAN

The #2 IP...is that directly outside of the Pix? Does it end in .97?

Reply to
Brian V

LAN-------ROUTER-----PIX-----INTERNET/VPN------PIX----LAN

LAN------Router------Internet/VPN------Router-----LAN

No, it is .125.

Reply to
J1C

news: snipped-for-privacy@e3g2000cwe.googlegroups.com...

LAN-------ROUTER-----PIX-----INTERNET/VPN------PIX----LAN

LAN------Router------Internet/VPN------Router-----LAN

The default gateway of your Pix is x.x.x.97, unless that is an HSRP address you are not going out the Pix that you have the VPN setup on, you are taking an alternate path via the load balancer. That also explains why the other side is not seeing your traffic.

Reply to
Brian V

LAN-------ROUTER-----PIX-----INTERNET/VPN------PIX----LAN

LAN------Router------Internet/VPN------Router-----LAN

Thanks for the help Brian, I ended up grabbing a Cisco tech to help out. We upgraded the PIX to 6.3(5) and used a policy based NAT to route the interesting traffic.

Reply to
J1C

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.