VLANS over VPN

Question

To begin  I have a 6248 Layer 3 switch at the core of the network. It is trunked off into 4 VLANS. 2 are 10.0.0.x/30 connections to Sonicwalls. 2 are Private class B subnets (172.16.x.x/23) (VLAN 11 and VLAN 30) that connect via trunk to 5224's.the 5224's are each set in 'Switchport general mode' for all of the ports except the trunks. The Switch port general modes are set to have a PVID of 11 and 30 resectivly.   1 of the Sonicwalls acts as our gateway to the internet.(VLAN 101)   1 acts as a site to site VPN connection point. (VLAN 103)   On the Other side of that VPN Sonicwall is a Cisco Pix firewall.   I am able to connect 2 tunnels across this VPN link from the Sonicwall to the PIX.   There is a static route in the 6248 that points all traffic to 192.168.1.0 ( The other side of the VPN tunnel)  to (VLAN 103)   Only on of my VLANs  is able to talk across the site to site VPN Link.(VLAN 11)   (VLAN 30) cannot connect across this VPN but routes through to the internet Via (VLAN101) just fine.It also can completely communicate with my local network servers and devices.   I have IP routing enabled for each VLAN in the 6248.   The configurations for the VLANS and their trunking is Identical. So are their configurations in both Sonicwalls. Does any one have any Idea of why 1 will connect and the other will not? I have been trying to sort this out for 3 days... I figured I would give this a shot.   Thanks, Brian

OSTIGUY · Answer

Does the VPN connection's access lists permit traffic from the tunnel that does not work? You have access lists on the firewalls that determine which traffic gets tunnelled. Do you admin the pix on the far side of the tunnel? The capture command (on 6.2+ PIX OS) is very handy. That, and debug icmp (or debug ip icmp) might be helpful. On the pix, a show crypto ipsec sa would show if there is a SA for the subnet that is problematic - the sh cry ips sa output should have a SA for each subnet to subnet pairing that deserves encryption as defined by the crypto access-lists

Decompression · Answer

I do not have access to the other side. All I can do is ask them to add or delete commands. I do have the access lists set up on both sides of the tunnels to permit each of the VLANs ranges. As it appears there are 2 VLAN address ranges enabled through 1 tunnel.

Networking General

Was this post helpful?