Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
471
Views
0
Helpful
3
Replies

VPN Routing Issue

paul.gagnon
Level 1
Level 1

‎03-13-2002 04:01 PM - edited ‎02-21-2020 11:38 AM

Got a good one for you guys. This is a routing issue to network without routers.

I have a remote site that connects through a pix 501 to a cisco 3015 concentrator. (public interface of concentrator is on the dmz of a sonicwall pro vx) This works fine. The network behind the pix is 10.25.99.0/24. The local lan behind local interface of the vpn concentrator is 10.25.100.0/24. I can ping and connect to any resources on the 10.25.100 network.

the private 10.0.0.0 network is very very very extensive from that point on and the users on the 10.25.99.0 network need access to resources that are at least 5 router hops away. Running eigrp on all the routers. next hop router after 10.25.100.1 is over a point to point t-1 then the router on that end has a connection to the frame relay cloud where it goes to remote sites, one of which there's a mainframe that the users behind the 10.25.99.0 network need.

I need to make every other router aware of the 10.25.99.0 network so that connecting to remote resources will work. in other words, pinging will send the packet all the way to the resource, but does not know how to return.

Heres what I've done which sounds like it would work in theory but have not tested yet. In the concentrator i've added the network to the ip routing/static routes section. All inbound traffic from vpn to 10.0.0.0 is pointed to the 10.25.100.1 router. works fine for vpn client connections becuase clients get assigned a 10.25.100.xxx address from a pool. Since the concentrator runs RIP, i did a router rip on the cisco router and network 10.0.0.0. I am hoping that by doing this that the rest of the network will become "aware" of how to get packets back to the concentrator for the 10.25.99.0 network.

The other option I am looking at is adding a static route to 10.25.99.0 pointed to the lan interface of the concentrator. I'm not sure if this route will populate the routing tables as i am still a novice at eigrp routing.

Labels:
0 Helpful
3 Replies 3

alessandro.pelosi
Level 1
Level 1

‎03-14-2002 01:04 AM

Hello

giving the EIGRP router a static route to point the .99.0 network you will populate the routing table af that router, the same you do enabling rip on the concentrator and the pix.

You must asuure that all aother EIGRP routers recieve the routing information, if not so work with static routes.

I think that you should have placed the inside interface of the concentrator in the DMZ and the outside interface on the internet because doing so your firewall will be able to inspact decripted pachets.

Bye

0 Helpful

l.byford
Level 1
Level 1

‎03-14-2002 02:48 AM

Paul

Add the route as you say and use the redistribute static command on that routers eigrp config to tell it to advertise that route to the other routers in that AS.

Lee.

0 Helpful

paul.gagnon
Level 1
Level 1
In response to l.byford

‎03-14-2002 12:12 PM

thanks for the tip on redistribute.

i have rip v2 running on both the router and the lan interface of the concentrator and when i do a "show ip prot" i can see that these 2 devices are "ripping" with each other.

what about doing this:

router rip

version 2

network 10.0.0.0

redistribute eigrp 90

default-metric 2

eigrp AS is 155

admin dist is 90/170 internal/external

admin dist for rip v2 is 120

0 Helpful
Customers Also Viewed These Support Documents