i have a PIX515 on subnet 10.6.0.0 with a vpn tunnel to a pix501 on subnet 10.7.0.0
on subnet 10.7.0.0 i have a linksys vpn router with LAN ip 10.7.1.6 and WAN 10.4.194.101
from the i have static route in the 501 to 10.7.1.6 to hit the 10.4.194.0 network
form the console i can ping any ip in the 10.4.194.0 network
i also put a static route on the 10.6.0.0 pix to route 10.4.194.0 requests to gateway 10.7.1.6
as long as i put static routes in pcs on the 10.7 network i can ping anyhting in the 10.4.194.0, but i cannot ping from the 10.6.0.0 network , and i also cannot ping the 10.6.0.0 network from the 10.4.194.0 network.
i also did a nat on the 501 for 10.6.0.3 > 10.7.1.90 and i CAN hit the 10.7.1.90 from the 10.4.194. network, but cannot directly ping 10.6.0.3
the machine i really need to get to on the 10.4.194.0 network also has no default gateway set, and i cannot set one, as is is a server managed by General Motors.
1) Do you have a route on the linksys for the 10.6.0.0 network ?
2) Presumably to get to the 10.4.194.0 network you want the traffic to go down the vpn tunnel ?
3) If answer to 2 is yes then you do not need static routes on the pix 515E, you just need to include that network in the crypto access-list eg.
access-list vpntraffic permit ip 10.6.0.0 255.255.255.0 10.7.1.0 255.255.255.0
access-list vpntraffic permit ip 10.6.0.0 255.255.255.0 10.4.194.0 255.255.255.0
access-list vpntraffic permit ip 10.7.0.0 255.255.255.0 10.6.0.0 255.255.255.0
access-list vpntraffic permit ip 10.4.194.0 255.255.255.0 10.6.0.0 255.255.255.0
As for the machine on the General Motors network. If it does not have a default gateway set how are you pinging it from the 10.7.0.0 network. It must have a default gateway set to the 10.7.1.6 linksys router or it would not know how to route back the packets ?
"it seems the standard IPSEC protocol specifies that only packets destined for the subnet immediate at the end of the tunnel will be encoded and sent through the VPN tunnel"
No this is absolutely not true. If it was IPSEC would be almost useless.
"i still dont understand how the 10.6 doesnt need a static route, as there is no vpn between 10.4.194 and 10.6"
There does not have to be. The site-to-site VPN is setup between your PIX 515E and your 501. You can pass any number of subnets down this tunnel. You define the subnets allowed down the VPN tunnel in your crypto map access-list (see previous post)
"there are multiple vpn tunnels (10.2.0.0/16 / 10.3.0.0/16 / 10.4.0.0/17 ) how would it know which to route packets to 10.4.194.0 to"
See previous answer ie. the crypto map access-list.
"the PAT broke connections to teh servers on 10.6.0.0 the vpn between 10.7.0.0 and 10.6.0.0
That VPN is up"
Okay, not sure why. Could you send full configs of both 515E and 501 minus any sensitive info.
Can you confirm that from the 501 you can ping the server on the 10.4.194.0 network ?
We are pleased to announce availability of Beta software for 16.6.3.
16.6.3 will be the second rebuild on the 16.6 release train targeted
towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are
looking for early feedback from customers befor...
Introduction Featured Speakers Luis Espejel is the Telecommunications
Manager of IENova, an Oil & Gas company. Currently he works with Cisco
IOS® and Cisco IOS XE platforms, and NX to some extent. He has also
worked as a Senior Engineer with the Routing P...
In this session you can learn more about Layer 3 multicast and the best
practices to identify possible threats and take security measures. It
provides an overview of basic multicast, the best security practices for
use of this technology, and recommendati...