I have setup a site-to-site VPN between my company and a consultant firm, with PIX firewalls on either end. The tunnel has been created and communication has been established, however there is a problem with routing back to the consultant firm.
There are 2 specific servers that the consultants need to hit, and the ACL's have been configured accordingly. The problem is that the 2 servers do not know how to route packets back to the consultant network - the traffic goes to the default gateway and out to the WAN instead. Our PIX 506 is not on the same subnet as the 2 servers, so we cannot add a static route to the servers.
PIX 506 - x.x.70.0 network 255.255.254.0 mask
Servers - x.x.59.0 network 255.255.255.0 mask
We do have a Catalyst 6509 running at layer 3 with the MSFC2 card, which handles our internal routing. (we have multiple subnets in our location). How can I set a static route to the consultant network for these servers to send the packets to the inside interface of the PIX? Would it be this simple or do I need to use some smoke and mirrors to get this to work.
You need to add a route on the 6500 MSFC (assuming this is the server's next-hop outbound) that refers to your remote network and directs the traffic to the PIX. If the 6500 and the PIX are not on the same network, then you need to add a route on every intermediate hop until you get to the PIX. It should be that simple, yes.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...