cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1510
Views
45
Helpful
25
Replies

Can't connect to peers on VPN

m-jankowski
Level 1
Level 1

Here is the situation.

I am the network 'admin' here at a franchise office of Trane systems. We are trying to set up a VPN system so we can connect remotely in the field to our storage servers.

I brought my PIX 506-E in from home to test the VPN connection. I can connect to a remote computer when I configure it to the same IP settings of the PIX off the network. But when I put it one the network I can't 'see' any of the domain computers from the remote machine.

IP Config tells me I'm on the same domain, DNS servers, WINS servers, and subnet as the office network but it only lets me ping the Linux machine we have set up here. The fact all the entries are correct means the PIX is pushing the right numbers to my remote client. The remote client is a domain computer that I hooked up to a wireless Sprint card, something I've done before with another domain and it works perfectly.

It sometimes lets me ping another terminal server we have here but it only gets one ping, the rest time out.

I really have no clue what to do right now. The PIX is on a separate subnet as the network because the PIX is using a DSL connection and wont let me translate port 80 for our server on *.*.*.128 subnet.

Any ideas would be greatly appreciated.

25 Replies 25

acomiskey
Level 10
Level 10

Could you possibly simplify your explanation of the problem?

"I can connect to a remote computer when I configure it to the same IP settings of the PIX off the network"

-A remote computer being a vpn client or a computer on the inside network from the vpn client?

"IP Config tells me I'm on the same domain, DNS servers, WINS servers, and subnet as the office network but it only lets me ping the Linux machine we have set up here."

-Ip config on the vpn client? The vpn client subnet should be different than the internal network.

Its a bit early for me. Let me try again.

All our computers have to be registered on the domain before they can join the domain.

Computer A is a registered computer on the domain. I'm using this computer and a Sprint wireless card to VPN into my Trane network.

The Trane network has a subnet of *.*.*.128.

Workstation B is the computer I'm trying to connect to on the internal network. I am able to connect to it when I place it on the same network settings (DNS, Gateway, subnet) as the PIX but not when its configured by the Trane net DHCP, it puts it on a different subnet and gateway as well as DNS and WINS servers.

Computer A has the right domain, DNS, WINS and DNS suffix as the rest of the Trane Net computers but it cannot connect to Workstation B now that it is back on the Trane Net IP settings.

This sounds like a routing problem. What is the normal default gateway of Workstation B when using Trane dhcp? You need to be able to route to the vpn client subnet via the inside interface of the pix. And like I said previously, the vpn client pool needs to be different than any other inside subnet. When you change the ip settings on Workstation B and make it's default gateway the inside of the pix, you can reach it from the vpn client.

If you cannot add a route on the network you will need to add a persistent route on Workstation B. Something like...

route add MASK

Hopefully I'm on the right track here.

I think you are. I had a feeling the gateway or subnet was a problem but since you say its ok for the VPN subnet for Computer A to be .255 and the subnet for Workstation B to be .128 then the only other thing is the gateway.

Workstation B's gateway is *.*.*.129 while the PIX is *.*.*.14.

So the reason why I can't ping from the VPN is because it doesn't know how to route back to the PIX? Is this on my PIX side or the other router for the Trane net side?

Either Workstation B or Workstation B's default gateway will have to have a route to the vpn client subnet via x.x.x.14.

If...

vpn client subnet = 192.168.200.0/24

then...

ip route 192.168.200.0 255.255.255.0 x.x.x.14

The other router for trane net is a Cisco router.. which most likely will accept Cisco CLI instructions. So this could be really easy to fix, if I had access to it. Trane net controls anything that is on 'their' end even though its sitting in my server room.

What would be the exact command to setup that route? The IP details are as follows:

Trane Net:

192.168.75.XX <-- Workstation IP's

192.168.75.254 <-- Gateway

255.255.255.128 <-- Subnet

PIX VPN:

192.168.75.15-30 <-- IP Pool for VPN

192.168.75.14 <-- PIX Router

255.255.255.129 <-- the new subnet I'll set for VPN clients

A little confused on your vpn pool subnet. That mask would actually be 255.255.255.240 for 192.168.75.16/28. The command would be...

ip route 192.168.75.16 255.255.255.240 192.168.75.14

I'm sorry... I completely mistyped the ranges.

the VPN pool is 159.112.75.15-159.112.75.30

I'm honestly not that smart when it comes to subnets.

That's ok, I'm not either. Does any other 159.112.75.x subnet exist on the network? You could just do "ip route 159.112.75.15 255.255.255.0 192.168.75.14".

159.112.75.15 is part of 159.112.75.0/28. While the other addresses, .16-30 are part of 159.112.75.16/28.

Please rate helpful posts.

Well see I retyped everything:

Trane Net:

159.112.75.XX <-- Workstation IP's

159.112.75.254 <-- Gateway

255.255.255.128 <-- Subnet

PIX VPN:

159.112.75.15-30 <-- IP Pool for VPN

159.112.75.14 <-- PIX Router

255.255.255.*** <-- the new subnet I'll set for VPN clients

Nothing else will share the subnet the VPN is on.. the only other subnet is the .128

I don't know if I confused you or not. Should I switch the VPN pool and gateway IP so they are in the same subnet?

Would it matter if I set up an IP Reserve for lets say.. 159.112.76.100-159.112.76.255 and put the IP pool as that and make the PIX either 159.112.76.1 or .100?

What I really don't understand is that if I use angry IP scanner when I'm connected via DHCP, it lets me find almost every host on the 159.112.75.* IP range. But if I change my IP to lets say 159.112.75.15, Make the Gateway the same and subnet 255.255.255.0 I can't 'see' any of the clients in the other network anymore.

Can I route the entire subnet without having to specify a specific IP?

ip route 159.112.75.15 255.255.255.0 192.168.75.14 is the command but I want all traffic for the entire network routed to 159.112.76.1 if the subnet is 255.255.255.0

So the command would be:

ip route any 255.255.255.0 192.168.76.1

Correct?

This is why you should use a completely different network subnet for the client subnet. If new vpn client network is 172.16.100.0/24 then...

ip route 172.16.100.0 255.255.255.0 192.168.75.14

OK I'm starting to understand..

That command will make sure any requests made to the Trane subnet from the VPN subnet will be directed back to the other gateway. So heres my final draft:

IP RANGE: 159.112.100.1 - 159.112.100.254

Subnet: 255.255.255.0

PIX Gateway: 159.112.100.1

Command to map:

ip route 159.112.100.0 255.255.255.0 159.112.100.1

Am I close?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: