Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Routing over VPN

Here is my situation

i have a PIX515 on subnet 10.6.0.0 with a vpn tunnel to a pix501 on subnet 10.7.0.0

on subnet 10.7.0.0 i have a linksys vpn router with LAN ip 10.7.1.6 and WAN 10.4.194.101

from the i have static route in the 501 to 10.7.1.6 to hit the 10.4.194.0 network

form the console i can ping any ip in the 10.4.194.0 network

i also put a static route on the 10.6.0.0 pix to route 10.4.194.0 requests to gateway 10.7.1.6

as long as i put static routes in pcs on the 10.7 network i can ping anyhting in the 10.4.194.0, but i cannot ping from the 10.6.0.0 network , and i also cannot ping the 10.6.0.0 network from the 10.4.194.0 network.

i also did a nat on the 501 for 10.6.0.3 > 10.7.1.90 and i CAN hit the 10.7.1.90 from the 10.4.194. network, but cannot directly ping 10.6.0.3

the machine i really need to get to on the 10.4.194.0 network also has no default gateway set, and i cannot set one, as is is a server managed by General Motors.

6 REPLIES
Hall of Fame Super Blue

Re: Routing over VPN

Hi

1) Do you have a route on the linksys for the 10.6.0.0 network ?

2) Presumably to get to the 10.4.194.0 network you want the traffic to go down the vpn tunnel ?

3) If answer to 2 is yes then you do not need static routes on the pix 515E, you just need to include that network in the crypto access-list eg.

Pix 515E

access-list vpntraffic permit ip 10.6.0.0 255.255.255.0 10.7.1.0 255.255.255.0

access-list vpntraffic permit ip 10.6.0.0 255.255.255.0 10.4.194.0 255.255.255.0

Pix 501

access-list vpntraffic permit ip 10.7.0.0 255.255.255.0 10.6.0.0 255.255.255.0

access-list vpntraffic permit ip 10.4.194.0 255.255.255.0 10.6.0.0 255.255.255.0

As for the machine on the General Motors network. If it does not have a default gateway set how are you pinging it from the 10.7.0.0 network. It must have a default gateway set to the 10.7.1.6 linksys router or it would not know how to route back the packets ?

HTH

Jon

New Member

Re: Routing over VPN

access list are put in, but i still cannot get out.

if i dont put a static route n the 515, how will it know how to route all packets for 10.4.194 though the vpn to 10.7.0.0 then over to 10.4.194???

as for why the pings succed from the 10.7.0.0 network, i do not know.

the static route on the linksys is 10.6.0.0 255.255.0.0 gateway 10.7.1.6 LAN

(the 10.4.194.0 is on the wan side and 10.7.1.6 is the LAN side)

Hall of Fame Super Blue

Re: Routing over VPN

The 515E knows it has to send the packets for 10.4.194.0 through the VPN tunnel because of the crypto access-list which tells the pix which traffic to encrypt.

If you can ping the 10.4.194.x server from the 10.7.1.x network then you can NAT all the incoming 10.6.x.x address to the inside interface address of your 501 pix.

So lets say your pix inside interface is 10.7.1.5

nat (outside) 3 10.6.0.0 255.255.0.0 outside

global (inside) 3 interface

This will NAT all 10.6.x.x addresses to 10.7.1.5. If you can ping the server from the 501 pix this will at least allow you to route to and from the server.

Note the number 3 in the above nat and global statements. It does not have to be 3, just any number that you are using on the firewall for NAT already.

Are you sure that the VPN is actually coming up ?

Jon

New Member

Re: Routing over VPN

the PAT broke connections to teh servers on 10.6.0.0 the vpn between 10.7.0.0 and 10.6.0.0

That VPN is up.

i still dont understand how the 10.6 doesnt need a static route, as there is no vpn between 10.4.194 and 10.6

there are multiple vpn tunnels (10.2.0.0/16 / 10.3.0.0/16 / 10.4.0.0/17 ) how would it know which to route packets to 10.4.194.0 to?

like i stated before, i nated 10.6.0.3 outside 10.7.1.90 inside, and that address i can ping form the 10.4.194 network, but i canot hit the 10.6.0.3 by itself.

i was reading elsewhere that this cannot even be done because the ipsec traffic will not go futher than the termination point exact words quoted below

"it seems the standard IPSEC protocol specifies that only packets destined for the subnet immediate at the end of the tunnel will be encoded and sent through the VPN tunnel"

is this correct???

Hall of Fame Super Blue

Re: Routing over VPN

Hi

"it seems the standard IPSEC protocol specifies that only packets destined for the subnet immediate at the end of the tunnel will be encoded and sent through the VPN tunnel"

No this is absolutely not true. If it was IPSEC would be almost useless.

"i still dont understand how the 10.6 doesnt need a static route, as there is no vpn between 10.4.194 and 10.6"

There does not have to be. The site-to-site VPN is setup between your PIX 515E and your 501. You can pass any number of subnets down this tunnel. You define the subnets allowed down the VPN tunnel in your crypto map access-list (see previous post)

"there are multiple vpn tunnels (10.2.0.0/16 / 10.3.0.0/16 / 10.4.0.0/17 ) how would it know which to route packets to 10.4.194.0 to"

See previous answer ie. the crypto map access-list.

"the PAT broke connections to teh servers on 10.6.0.0 the vpn between 10.7.0.0 and 10.6.0.0

That VPN is up"

Okay, not sure why. Could you send full configs of both 515E and 501 minus any sensitive info.

Can you confirm that from the 501 you can ping the server on the 10.4.194.0 network ?

Jon

New Member

Re: Routing over VPN

yes i can ping 10.4.194.194 from 10.7.1.1

confings are attached

thanks for all your help so far, i really appreciate it

311
Views
0
Helpful
6
Replies
CreatePlease to create content