Can't connect to peers on VPN

Unanswered Question
Jul 18th, 2007
User Badges:

Here is the situation.


I am the network 'admin' here at a franchise office of Trane systems. We are trying to set up a VPN system so we can connect remotely in the field to our storage servers.


I brought my PIX 506-E in from home to test the VPN connection. I can connect to a remote computer when I configure it to the same IP settings of the PIX off the network. But when I put it one the network I can't 'see' any of the domain computers from the remote machine.


IP Config tells me I'm on the same domain, DNS servers, WINS servers, and subnet as the office network but it only lets me ping the Linux machine we have set up here. The fact all the entries are correct means the PIX is pushing the right numbers to my remote client. The remote client is a domain computer that I hooked up to a wireless Sprint card, something I've done before with another domain and it works perfectly.


It sometimes lets me ping another terminal server we have here but it only gets one ping, the rest time out.


I really have no clue what to do right now. The PIX is on a separate subnet as the network because the PIX is using a DSL connection and wont let me translate port 80 for our server on *.*.*.128 subnet.


Any ideas would be greatly appreciated.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (9 ratings)
Loading.
acomiskey Wed, 07/18/2007 - 06:31
User Badges:
  • Green, 3000 points or more

Could you possibly simplify your explanation of the problem?


"I can connect to a remote computer when I configure it to the same IP settings of the PIX off the network"


-A remote computer being a vpn client or a computer on the inside network from the vpn client?


"IP Config tells me I'm on the same domain, DNS servers, WINS servers, and subnet as the office network but it only lets me ping the Linux machine we have set up here."


-Ip config on the vpn client? The vpn client subnet should be different than the internal network.




m-jankowski Wed, 07/18/2007 - 06:36
User Badges:

Its a bit early for me. Let me try again.



All our computers have to be registered on the domain before they can join the domain.


Computer A is a registered computer on the domain. I'm using this computer and a Sprint wireless card to VPN into my Trane network.


The Trane network has a subnet of *.*.*.128.


Workstation B is the computer I'm trying to connect to on the internal network. I am able to connect to it when I place it on the same network settings (DNS, Gateway, subnet) as the PIX but not when its configured by the Trane net DHCP, it puts it on a different subnet and gateway as well as DNS and WINS servers.


Computer A has the right domain, DNS, WINS and DNS suffix as the rest of the Trane Net computers but it cannot connect to Workstation B now that it is back on the Trane Net IP settings.

acomiskey Wed, 07/18/2007 - 06:41
User Badges:
  • Green, 3000 points or more

This sounds like a routing problem. What is the normal default gateway of Workstation B when using Trane dhcp? You need to be able to route to the vpn client subnet via the inside interface of the pix. And like I said previously, the vpn client pool needs to be different than any other inside subnet. When you change the ip settings on Workstation B and make it's default gateway the inside of the pix, you can reach it from the vpn client.


If you cannot add a route on the network you will need to add a persistent route on Workstation B. Something like...


route add MASK


Hopefully I'm on the right track here.

m-jankowski Wed, 07/18/2007 - 06:45
User Badges:

I think you are. I had a feeling the gateway or subnet was a problem but since you say its ok for the VPN subnet for Computer A to be .255 and the subnet for Workstation B to be .128 then the only other thing is the gateway.


Workstation B's gateway is *.*.*.129 while the PIX is *.*.*.14.


So the reason why I can't ping from the VPN is because it doesn't know how to route back to the PIX? Is this on my PIX side or the other router for the Trane net side?

acomiskey Wed, 07/18/2007 - 06:50
User Badges:
  • Green, 3000 points or more

Either Workstation B or Workstation B's default gateway will have to have a route to the vpn client subnet via x.x.x.14.


If...


vpn client subnet = 192.168.200.0/24


then...


ip route 192.168.200.0 255.255.255.0 x.x.x.14

m-jankowski Wed, 07/18/2007 - 06:59
User Badges:

The other router for trane net is a Cisco router.. which most likely will accept Cisco CLI instructions. So this could be really easy to fix, if I had access to it. Trane net controls anything that is on 'their' end even though its sitting in my server room.


What would be the exact command to setup that route? The IP details are as follows:


Trane Net:

192.168.75.XX <-- Workstation IP's

192.168.75.254 <-- Gateway

255.255.255.128 <-- Subnet


PIX VPN:

192.168.75.15-30 <-- IP Pool for VPN

192.168.75.14 <-- PIX Router

255.255.255.129 <-- the new subnet I'll set for VPN clients

acomiskey Wed, 07/18/2007 - 08:01
User Badges:
  • Green, 3000 points or more

A little confused on your vpn pool subnet. That mask would actually be 255.255.255.240 for 192.168.75.16/28. The command would be...


ip route 192.168.75.16 255.255.255.240 192.168.75.14

m-jankowski Wed, 07/18/2007 - 09:11
User Badges:

I'm sorry... I completely mistyped the ranges.


the VPN pool is 159.112.75.15-159.112.75.30


I'm honestly not that smart when it comes to subnets.

acomiskey Wed, 07/18/2007 - 09:18
User Badges:
  • Green, 3000 points or more

That's ok, I'm not either. Does any other 159.112.75.x subnet exist on the network? You could just do "ip route 159.112.75.15 255.255.255.0 192.168.75.14".


159.112.75.15 is part of 159.112.75.0/28. While the other addresses, .16-30 are part of 159.112.75.16/28.


Please rate helpful posts.


m-jankowski Wed, 07/18/2007 - 09:24
User Badges:

Well see I retyped everything:


Trane Net:

159.112.75.XX <-- Workstation IP's

159.112.75.254 <-- Gateway

255.255.255.128 <-- Subnet


PIX VPN:

159.112.75.15-30 <-- IP Pool for VPN

159.112.75.14 <-- PIX Router

255.255.255.*** <-- the new subnet I'll set for VPN clients


Nothing else will share the subnet the VPN is on.. the only other subnet is the .128

m-jankowski Thu, 07/19/2007 - 04:40
User Badges:

I don't know if I confused you or not. Should I switch the VPN pool and gateway IP so they are in the same subnet?


Would it matter if I set up an IP Reserve for lets say.. 159.112.76.100-159.112.76.255 and put the IP pool as that and make the PIX either 159.112.76.1 or .100?


What I really don't understand is that if I use angry IP scanner when I'm connected via DHCP, it lets me find almost every host on the 159.112.75.* IP range. But if I change my IP to lets say 159.112.75.15, Make the Gateway the same and subnet 255.255.255.0 I can't 'see' any of the clients in the other network anymore.

m-jankowski Thu, 07/19/2007 - 04:50
User Badges:

Can I route the entire subnet without having to specify a specific IP?


ip route 159.112.75.15 255.255.255.0 192.168.75.14 is the command but I want all traffic for the entire network routed to 159.112.76.1 if the subnet is 255.255.255.0


So the command would be:


ip route any 255.255.255.0 192.168.76.1


Correct?

acomiskey Thu, 07/19/2007 - 05:01
User Badges:
  • Green, 3000 points or more

This is why you should use a completely different network subnet for the client subnet. If new vpn client network is 172.16.100.0/24 then...


ip route 172.16.100.0 255.255.255.0 192.168.75.14



m-jankowski Thu, 07/19/2007 - 05:07
User Badges:

OK I'm starting to understand..


That command will make sure any requests made to the Trane subnet from the VPN subnet will be directed back to the other gateway. So heres my final draft:


IP RANGE: 159.112.100.1 - 159.112.100.254


Subnet: 255.255.255.0


PIX Gateway: 159.112.100.1


Command to map:


ip route 159.112.100.0 255.255.255.0 159.112.100.1


Am I close?

acomiskey Thu, 07/19/2007 - 05:14
User Badges:
  • Green, 3000 points or more

Not exactly. Leave the pix address where it was. It was 159.112.75.14 right???


Pix inside = 159.112.75.14


VPN Client Pool = 159.112.100.1 - 159.112.100.254


Command in router:


ip route 159.112.100.0 255.255.255.0 159.112.75.14


What this does is let the trane network (159.112.x.x) know how to get to the vpn clients. It says, I get to the vpn client subnet (159.112.100.0/24) by going to the pix (159.112.75.14).


note: I put "192.168.75.14" in my post above. I think you changed the pix address at some point.

m-jankowski Thu, 07/19/2007 - 05:21
User Badges:

OK perfect. Just for reference.. what subnet should the PIX be on? Because right now I believe its like 255.255.255.0.

acomiskey Thu, 07/19/2007 - 05:24
User Badges:
  • Green, 3000 points or more

255.255.255.0 is a subnet mask. It depends what your trane network is defined as. What networks are there on the trane network? What mask do you get on a dhcp client? What network is the pix connected to?

m-jankowski Thu, 07/19/2007 - 05:40
User Badges:

Trane Net:


IP Address: 159.112.75.XX


Subnet Mask: 255.255.255.128


PIX (connected to DSL):


IP Address: 159.112.75.14


Subnet Mask: 255.255.255.0



The reason I don't have it on the .128 subnet is because I can't get NAT/PAT working correctly when I try to translate ports from the DSL address.

acomiskey Thu, 07/19/2007 - 05:46
User Badges:
  • Green, 3000 points or more

You won't be able to route to the pix if it's not on the trane network.


You were probably having trouble with NAT/PAT working because the default gateway on the internal devices is not the pix. Is assume this is the network topology?


Trane Network -> Router -> Internet

|

Pix

|

Internet

|

VPN Clients

m-jankowski Thu, 07/19/2007 - 05:58
User Badges:

Its kinda like this:


Trane Network(Internet) <- T1 Line <- |Office Network| Webserver -> PIX -> DSL -> Internet


Our webserver is hosted on the DSL line and our webpage resolves to the DSL. TraneNet is a T1 line we use for internet access and Citrix applications. The DSL is dedicated mainly to the website and sometimes us IT guys when we get fed up with the T1's proxy.


For some reason when the PIX was on the same subnet as Trane net, the static (inside,outside) command wouldn't work because the subnets were different, the GUI told me I would have to use *.*.*.0 because it would accept .128 on the DSL or Internal address. I probably set it up wrong but I needed to get the site up so I went with the quickest way I knew how and that was to set up a different subnet and it worked.

acomiskey Thu, 07/19/2007 - 06:06
User Badges:
  • Green, 3000 points or more

The pix inside address should look like this where x = a free address between 129-254. Theres no reason you should not be able to use a /25 mask on the pix.


ip address inside 159.112.75.x 255.255.255.128


static (inside,outside) tcp interface www www netmask 255.255.255.255


The webserver's default gateway must be the pix.


m-jankowski Thu, 07/19/2007 - 10:21
User Badges:

When I tried to put it on the same subnet as Trane net, it wouldn't let me map the DSL address.. well it did but it said something about it needing to match the DSL IP to the last part of the subnet for the pix.


I'll try to illustrate the network better:



|Office Network <-> Webserver\Fileserver| - - - DSL

|

|

|

Trane T1

159.112.75.*

255.255.255.128


The webserver\fileserver has two NIC's one for the network file server, one dedicated for the DSL and webserver.



Port 80 as well as mail and ftp need to be translated over the PIX to the server. It only works if I keep the subnet like I have it now.. when I set it to .128 for the PIX to match the Trane network it wont translate and replaces .*** with .128 on the last part of the IP address.




acomiskey Thu, 07/19/2007 - 10:53
User Badges:
  • Green, 3000 points or more

" it said something about it needing to match the DSL IP to the last part of the subnet for the pix."


-I don't understand what this means. Could you recreate the scenario and give the exact error? Also, this error is from the pix PDM?


"The webserver\fileserver has two NIC's one for the network file server, one dedicated for the DSL and webserver."


-The server cannot have 2 default gateways so it will be difficult to make it public to 2 different wan connections. If everyone who access the file server via the t1 is a known entity, ie. you know their source address, then you could route to the t1 for those particular addresses and make the default gateway, ie. all other source addresses, the pix inside interface.


"It only works if I keep the subnet like I have it now.. when I set it to .128 for the PIX to match the Trane network it wont translate and replaces .*** with .128 on the last part of the IP address."


-Could you post the config?

m-jankowski Thu, 07/19/2007 - 12:41
User Badges:

I will have to post it tomorrow. I'll also take a screen shot in the config menu for the translation rule.

m-jankowski Fri, 07/20/2007 - 04:16
User Badges:

1. Yes the error is from the PIX PDM.. in short.. I don't know how to map a route with two different masks in the CLI. I know how to do with the same mask only.


2. The server has two NIC's and each is configured for different gateways. Its a linux box and the apache server is binded(bound?)to the one interface and everything else is on the other.


As for the config I have to wait a little bit but basically what I would do is map a static route then copy/paste that entry in the PDM so I could map it for the rest of the ports. I though since I had to do the same when I changed the subnet, I tried and it kept changing the "Translated IP Address" field, the one right above where you choose what port to translate, to *.*.*.0 instead of *130. It gave me a message like "The subnet mask does not match the outside network, we recommend *.*.*.0" and theres no way to force it.


This could easily be me not knowing what I'm doing.. actually thats exactly what it is. I'm learning little by little.

Actions

This Discussion