Routing over VPN

Unanswered Question
Sep 12th, 2007
User Badges:

Here is my situation


i have a PIX515 on subnet 10.6.0.0 with a vpn tunnel to a pix501 on subnet 10.7.0.0


on subnet 10.7.0.0 i have a linksys vpn router with LAN ip 10.7.1.6 and WAN 10.4.194.101


from the i have static route in the 501 to 10.7.1.6 to hit the 10.4.194.0 network


form the console i can ping any ip in the 10.4.194.0 network


i also put a static route on the 10.6.0.0 pix to route 10.4.194.0 requests to gateway 10.7.1.6


as long as i put static routes in pcs on the 10.7 network i can ping anyhting in the 10.4.194.0, but i cannot ping from the 10.6.0.0 network , and i also cannot ping the 10.6.0.0 network from the 10.4.194.0 network.


i also did a nat on the 501 for 10.6.0.3 > 10.7.1.90 and i CAN hit the 10.7.1.90 from the 10.4.194. network, but cannot directly ping 10.6.0.3


the machine i really need to get to on the 10.4.194.0 network also has no default gateway set, and i cannot set one, as is is a server managed by General Motors.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Wed, 09/12/2007 - 23:20
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi


1) Do you have a route on the linksys for the 10.6.0.0 network ?


2) Presumably to get to the 10.4.194.0 network you want the traffic to go down the vpn tunnel ?


3) If answer to 2 is yes then you do not need static routes on the pix 515E, you just need to include that network in the crypto access-list eg.


Pix 515E


access-list vpntraffic permit ip 10.6.0.0 255.255.255.0 10.7.1.0 255.255.255.0

access-list vpntraffic permit ip 10.6.0.0 255.255.255.0 10.4.194.0 255.255.255.0


Pix 501


access-list vpntraffic permit ip 10.7.0.0 255.255.255.0 10.6.0.0 255.255.255.0

access-list vpntraffic permit ip 10.4.194.0 255.255.255.0 10.6.0.0 255.255.255.0



As for the machine on the General Motors network. If it does not have a default gateway set how are you pinging it from the 10.7.0.0 network. It must have a default gateway set to the 10.7.1.6 linksys router or it would not know how to route back the packets ?


HTH


Jon


sandsautogroup Thu, 09/13/2007 - 07:13
User Badges:

access list are put in, but i still cannot get out.


if i dont put a static route n the 515, how will it know how to route all packets for 10.4.194 though the vpn to 10.7.0.0 then over to 10.4.194???


as for why the pings succed from the 10.7.0.0 network, i do not know.


the static route on the linksys is 10.6.0.0 255.255.0.0 gateway 10.7.1.6 LAN


(the 10.4.194.0 is on the wan side and 10.7.1.6 is the LAN side)

Jon Marshall Thu, 09/13/2007 - 09:10
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

The 515E knows it has to send the packets for 10.4.194.0 through the VPN tunnel because of the crypto access-list which tells the pix which traffic to encrypt.


If you can ping the 10.4.194.x server from the 10.7.1.x network then you can NAT all the incoming 10.6.x.x address to the inside interface address of your 501 pix.


So lets say your pix inside interface is 10.7.1.5


nat (outside) 3 10.6.0.0 255.255.0.0 outside

global (inside) 3 interface


This will NAT all 10.6.x.x addresses to 10.7.1.5. If you can ping the server from the 501 pix this will at least allow you to route to and from the server.

Note the number 3 in the above nat and global statements. It does not have to be 3, just any number that you are using on the firewall for NAT already.


Are you sure that the VPN is actually coming up ?


Jon

sandsautogroup Thu, 09/13/2007 - 09:37
User Badges:

the PAT broke connections to teh servers on 10.6.0.0 the vpn between 10.7.0.0 and 10.6.0.0

That VPN is up.


i still dont understand how the 10.6 doesnt need a static route, as there is no vpn between 10.4.194 and 10.6


there are multiple vpn tunnels (10.2.0.0/16 / 10.3.0.0/16 / 10.4.0.0/17 ) how would it know which to route packets to 10.4.194.0 to?


like i stated before, i nated 10.6.0.3 outside 10.7.1.90 inside, and that address i can ping form the 10.4.194 network, but i canot hit the 10.6.0.3 by itself.


i was reading elsewhere that this cannot even be done because the ipsec traffic will not go futher than the termination point exact words quoted below

"it seems the standard IPSEC protocol specifies that only packets destined for the subnet immediate at the end of the tunnel will be encoded and sent through the VPN tunnel"


is this correct???

Jon Marshall Thu, 09/13/2007 - 11:46
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi


"it seems the standard IPSEC protocol specifies that only packets destined for the subnet immediate at the end of the tunnel will be encoded and sent through the VPN tunnel"


No this is absolutely not true. If it was IPSEC would be almost useless.


"i still dont understand how the 10.6 doesnt need a static route, as there is no vpn between 10.4.194 and 10.6"


There does not have to be. The site-to-site VPN is setup between your PIX 515E and your 501. You can pass any number of subnets down this tunnel. You define the subnets allowed down the VPN tunnel in your crypto map access-list (see previous post)


"there are multiple vpn tunnels (10.2.0.0/16 / 10.3.0.0/16 / 10.4.0.0/17 ) how would it know which to route packets to 10.4.194.0 to"


See previous answer ie. the crypto map access-list.


"the PAT broke connections to teh servers on 10.6.0.0 the vpn between 10.7.0.0 and 10.6.0.0

That VPN is up"


Okay, not sure why. Could you send full configs of both 515E and 501 minus any sensitive info.


Can you confirm that from the 501 you can ping the server on the 10.4.194.0 network ?


Jon




sandsautogroup Thu, 09/13/2007 - 12:37
User Badges:

yes i can ping 10.4.194.194 from 10.7.1.1


confings are attached


thanks for all your help so far, i really appreciate it



Attachment: 

Actions

This Discussion