Here is the situation.
I am the network 'admin' here at a franchise office of Trane systems. We are trying to set up a VPN system so we can connect remotely in the field to our storage servers.
I brought my PIX 506-E in from home to test the VPN connection. I can connect to a remote computer when I configure it to the same IP settings of the PIX off the network. But when I put it one the network I can't 'see' any of the domain computers from the remote machine.
IP Config tells me I'm on the same domain, DNS servers, WINS servers, and subnet as the office network but it only lets me ping the Linux machine we have set up here. The fact all the entries are correct means the PIX is pushing the right numbers to my remote client. The remote client is a domain computer that I hooked up to a wireless Sprint card, something I've done before with another domain and it works perfectly.
It sometimes lets me ping another terminal server we have here but it only gets one ping, the rest time out.
I really have no clue what to do right now. The PIX is on a separate subnet as the network because the PIX is using a DSL connection and wont let me translate port 80 for our server on *.*.*.128 subnet.
Any ideas would be greatly appreciated.
Could you possibly simplify your explanation of the problem?
"I can connect to a remote computer when I configure it to the same IP settings of the PIX off the network"
-A remote computer being a vpn client or a computer on the inside network from the vpn client?
"IP Config tells me I'm on the same domain, DNS servers, WINS servers, and subnet as the office network but it only lets me ping the Linux machine we have set up here."
-Ip config on the vpn client? The vpn client subnet should be different than the internal network.
Its a bit early for me. Let me try again.
All our computers have to be registered on the domain before they can join the domain.
Computer A is a registered computer on the domain. I'm using this computer and a Sprint wireless card to VPN into my Trane network.
The Trane network has a subnet of *.*.*.128.
Workstation B is the computer I'm trying to connect to on the internal network. I am able to connect to it when I place it on the same network settings (DNS, Gateway, subnet) as the PIX but not when its configured by the Trane net DHCP, it puts it on a different subnet and gateway as well as DNS and WINS servers.
Computer A has the right domain, DNS, WINS and DNS suffix as the rest of the Trane Net computers but it cannot connect to Workstation B now that it is back on the Trane Net IP settings.
This sounds like a routing problem. What is the normal default gateway of Workstation B when using Trane dhcp? You need to be able to route to the vpn client subnet via the inside interface of the pix. And like I said previously, the vpn client pool needs to be different than any other inside subnet. When you change the ip settings on Workstation B and make it's default gateway the inside of the pix, you can reach it from the vpn client.
If you cannot add a route on the network you will need to add a persistent route on Workstation B. Something like...
Hopefully I'm on the right track here.
I think you are. I had a feeling the gateway or subnet was a problem but since you say its ok for the VPN subnet for Computer A to be .255 and the subnet for Workstation B to be .128 then the only other thing is the gateway.
Workstation B's gateway is *.*.*.129 while the PIX is *.*.*.14.
So the reason why I can't ping from the VPN is because it doesn't know how to route back to the PIX? Is this on my PIX side or the other router for the Trane net side?
Either Workstation B or Workstation B's default gateway will have to have a route to the vpn client subnet via x.x.x.14.
vpn client subnet = 192.168.200.0/24
ip route 192.168.200.0 255.255.255.0 x.x.x.14
The other router for trane net is a Cisco router.. which most likely will accept Cisco CLI instructions. So this could be really easy to fix, if I had access to it. Trane net controls anything that is on 'their' end even though its sitting in my server room.
What would be the exact command to setup that route? The IP details are as follows:
192.168.75.XX <-- Workstation IP's
192.168.75.254 <-- Gateway
255.255.255.128 <-- Subnet
192.168.75.15-30 <-- IP Pool for VPN
192.168.75.14 <-- PIX Router
255.255.255.129 <-- the new subnet I'll set for VPN clients
A little confused on your vpn pool subnet. That mask would actually be 255.255.255.240 for 192.168.75.16/28. The command would be...
ip route 192.168.75.16 255.255.255.240 192.168.75.14
I'm sorry... I completely mistyped the ranges.
the VPN pool is 184.108.40.206-220.127.116.11
I'm honestly not that smart when it comes to subnets.
That's ok, I'm not either. Does any other 159.112.75.x subnet exist on the network? You could just do "ip route 18.104.22.168 255.255.255.0 192.168.75.14".
22.214.171.124 is part of 126.96.36.199/28. While the other addresses, .16-30 are part of 188.8.131.52/28.
Please rate helpful posts.
Well see I retyped everything:
159.112.75.XX <-- Workstation IP's
184.108.40.206 <-- Gateway
255.255.255.128 <-- Subnet
220.127.116.11-30 <-- IP Pool for VPN
18.104.22.168 <-- PIX Router
255.255.255.*** <-- the new subnet I'll set for VPN clients
Nothing else will share the subnet the VPN is on.. the only other subnet is the .128
I don't know if I confused you or not. Should I switch the VPN pool and gateway IP so they are in the same subnet?
Would it matter if I set up an IP Reserve for lets say.. 22.214.171.124-126.96.36.199 and put the IP pool as that and make the PIX either 188.8.131.52 or .100?
What I really don't understand is that if I use angry IP scanner when I'm connected via DHCP, it lets me find almost every host on the 159.112.75.* IP range. But if I change my IP to lets say 184.108.40.206, Make the Gateway the same and subnet 255.255.255.0 I can't 'see' any of the clients in the other network anymore.
Can I route the entire subnet without having to specify a specific IP?
ip route 220.127.116.11 255.255.255.0 192.168.75.14 is the command but I want all traffic for the entire network routed to 18.104.22.168 if the subnet is 255.255.255.0
So the command would be:
ip route any 255.255.255.0 192.168.76.1
This is why you should use a completely different network subnet for the client subnet. If new vpn client network is 172.16.100.0/24 then...
ip route 172.16.100.0 255.255.255.0 192.168.75.14
OK I'm starting to understand..
That command will make sure any requests made to the Trane subnet from the VPN subnet will be directed back to the other gateway. So heres my final draft:
IP RANGE: 22.214.171.124 - 126.96.36.199
PIX Gateway: 188.8.131.52
Command to map:
ip route 184.108.40.206 255.255.255.0 220.127.116.11
Am I close?
Not exactly. Leave the pix address where it was. It was 18.104.22.168 right???
Pix inside = 22.214.171.124
VPN Client Pool = 126.96.36.199 - 188.8.131.52
Command in router:
ip route 184.108.40.206 255.255.255.0 220.127.116.11
What this does is let the trane network (159.112.x.x) know how to get to the vpn clients. It says, I get to the vpn client subnet (18.104.22.168/24) by going to the pix (22.214.171.124).
note: I put "192.168.75.14" in my post above. I think you changed the pix address at some point.
255.255.255.0 is a subnet mask. It depends what your trane network is defined as. What networks are there on the trane network? What mask do you get on a dhcp client? What network is the pix connected to?
IP Address: 159.112.75.XX
Subnet Mask: 255.255.255.128
PIX (connected to DSL):
IP Address: 126.96.36.199
Subnet Mask: 255.255.255.0
The reason I don't have it on the .128 subnet is because I can't get NAT/PAT working correctly when I try to translate ports from the DSL address.
You won't be able to route to the pix if it's not on the trane network.
You were probably having trouble with NAT/PAT working because the default gateway on the internal devices is not the pix. Is assume this is the network topology?
Trane Network -> Router -> Internet
Its kinda like this:
Trane Network(Internet) <- T1 Line <- |Office Network| Webserver -> PIX -> DSL -> Internet
Our webserver is hosted on the DSL line and our webpage resolves to the DSL. TraneNet is a T1 line we use for internet access and Citrix applications. The DSL is dedicated mainly to the website and sometimes us IT guys when we get fed up with the T1's proxy.
For some reason when the PIX was on the same subnet as Trane net, the static (inside,outside) command wouldn't work because the subnets were different, the GUI told me I would have to use *.*.*.0 because it would accept .128 on the DSL or Internal address. I probably set it up wrong but I needed to get the site up so I went with the quickest way I knew how and that was to set up a different subnet and it worked.
The pix inside address should look like this where x = a free address between 129-254. Theres no reason you should not be able to use a /25 mask on the pix.
ip address inside 159.112.75.x 255.255.255.128
static (inside,outside) tcp interface www
The webserver's default gateway must be the pix.
When I tried to put it on the same subnet as Trane net, it wouldn't let me map the DSL address.. well it did but it said something about it needing to match the DSL IP to the last part of the subnet for the pix.
I'll try to illustrate the network better:
|Office Network <-> Webserver\Fileserver| - - - DSL
The webserver\fileserver has two NIC's one for the network file server, one dedicated for the DSL and webserver.
Port 80 as well as mail and ftp need to be translated over the PIX to the server. It only works if I keep the subnet like I have it now.. when I set it to .128 for the PIX to match the Trane network it wont translate and replaces .*** with .128 on the last part of the IP address.
" it said something about it needing to match the DSL IP to the last part of the subnet for the pix."
-I don't understand what this means. Could you recreate the scenario and give the exact error? Also, this error is from the pix PDM?
"The webserver\fileserver has two NIC's one for the network file server, one dedicated for the DSL and webserver."
-The server cannot have 2 default gateways so it will be difficult to make it public to 2 different wan connections. If everyone who access the file server via the t1 is a known entity, ie. you know their source address, then you could route to the t1 for those particular addresses and make the default gateway, ie. all other source addresses, the pix inside interface.
"It only works if I keep the subnet like I have it now.. when I set it to .128 for the PIX to match the Trane network it wont translate and replaces .*** with .128 on the last part of the IP address."
-Could you post the config?
1. Yes the error is from the PIX PDM.. in short.. I don't know how to map a route with two different masks in the CLI. I know how to do with the same mask only.
2. The server has two NIC's and each is configured for different gateways. Its a linux box and the apache server is binded(bound?)to the one interface and everything else is on the other.
As for the config I have to wait a little bit but basically what I would do is map a static route then copy/paste that entry in the PDM so I could map it for the rest of the ports. I though since I had to do the same when I changed the subnet, I tried and it kept changing the "Translated IP Address" field, the one right above where you choose what port to translate, to *.*.*.0 instead of *130. It gave me a message like "The subnet mask does not match the outside network, we recommend *.*.*.0" and theres no way to force it.
This could easily be me not knowing what I'm doing.. actually thats exactly what it is. I'm learning little by little.