Routing via PIX/VPN

dingleypress · ‎06-28-2007

I have an established VPN site to site between a PIX 501 at the remote end, and a 515e at the main site. Subnets are 192.168.50.x at the remote site, 192.168.44.0 (255.255.254.0 mask at main site end) which is working properly.

I can, with persistent routes on systems at each end, see the needed addresses on the 44/45 subnet from 50, and the 50 subnet from 44/45, and traffic moves appropriately.

At the main end I now have added a 192.168.53.x subnet, with a router at 192.168.44.24 to handle it, and from the pix at 192.168.45.1 I can see addresses on this subnet.

What I am trying to do is to get a route esablished from the pix at 192.168.50.1 so that addresses on the 192.168.50.x subnet can see the 53.x subnet addresses (So I can place some VoIP phones at the remote site to connect to the PBX here, which is using the 53.x subnet.

I can ping addresses from the pix at the main site (45.1) on the 53.x subnet, and I can ping the 44.24 address of the router to the 53.x subnet from addresses on 50.x subnet.

I know I am missing a route from the 50.x subnet to find the next hop, but I cannot seem to determine where it goes from here. I would assume the 50.1 pix should have a route to 53.x with a gateway address of 50.1, and that would pass to the 45.1 pix, which has a route to the 44.24 as a gateway to 53.x, but I can't seem to make that work.

So, what am I missing, or am I missing the boat entirely on the process? I am good enough with tcp routing to understand the answer, but not quite good enough to spot it apparently.

Mike Martell

paolo bevilacqua · ‎06-28-2007

Hi Mike,

first of all, routes are not enough. On the pix, you must change the access list for VPN (NAT 0) so that the .53 subnet is allowed to exchange crypted traffic with the .50 subnet.

Then PIXes don;t really pass routes to each others. They can do very simple rip or ospf, but perhaps is not worth for you do that yet. Basically, the route to .53 on pix 50.1 is just like the one to .44. Viceversa on the other pix.

Then, the router will need a route to .50 via 45.1

That should be it.

Hope this helps, please rate post if it does!

dingleypress · ‎06-29-2007

I think that has me closer to it, but I am not quite there yet.

the 192.168.53.x network has been added to the acl at both ends to allow it to pass traffic from the 501 pix at the 50.x network end to the 515 pix at the 44.x end. A route is added on the 501 pix to take 53.x and route it to 45.1, and on 45.1 to route to 44.24 for the 53.x subnet.

At the 515pix, 45.1, I can ping (inside) the 50.1, 50.3 (a host beyond the pix for testing) , 44.24 (router to the 53 net), and 53.1 (host on 53 subnet) with no problems.

At the 501 pix, 50.1 , I can ping 50.3, 45.1 (515 pix), 44.24, but not the 53.1

I'm still missing something, but I just haven't found it.

timkaye · ‎07-02-2007

So to confirm, router 44.24 has a route to 192.168.50.0 via 45.1?

As long as the subnet masks are fine on the pix 515 and the router 44.24

can you supply a sh cry ip sa from the 515 and 501?

haoshoken · ‎07-05-2007

Maybe you could try doing a traceroute to help you in your troubleshooting? Very often this simple command got me out of many difficult situations. :)

Or maybe the route metrics are making your packets hopping about instead of reaching the destination?

Hope it helps.