Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Roadwarrior and VPN access (2nd act)

Hi everybody. Some days ago I've posted a question about roadwarriors and jackko was very clear about that: http://forums.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Virtual%20Private%20Networks&topic=Security&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.1dd95067

Now I've a new scenario: it's similar to the old one:

supportotesi.altervista.org/ing.temporaneo.jpg

but now on the inside network 10.0.0.x there's a router 10.0.0.139 and it can access to the 172 net. Now I always need to reach that net from the outside with cisco vpn client. As jackko said:

since the pix is protecting 10.0.0.x not 172.17.x.x, it's not feasible for the pix to provide vpn access to a network that is outside the pix. one workaround is to setup a terminal server at 10.0.0.x. when roadwarrior connects to 10.0.0.x via vpn, he/she can establish a terminal session to the server (ip: 10.0.0.x), then from the server he/she will be able to access 172.17.x.x.

Now my question is:

when I connect to the protected network 10.0.0.x from a cisco vpn client 10.0.9.x he doesn't have any gateway. I thought: if I give to the 10.0.9.x the gateway 10.0.0.139 (that is the router) maybe I can reach the 172 net. I've tried with cisco client under windows but when I put a gateway address in the new lan interface (the cisco vpn client one) my pc doesn't go to internet anymore and however it can't reach 172 net.

I've tried with linux, saying this:

route add -net 172.17.0.0 netmask 255.255.128.0 gw 10.0.0.139

but it says that the network is unreachble.

There's a way with a router attached to 10.0.0.x that can reach the 172, to let roadwarriors 10.0.9.x reach net 172?

Thanks

4 REPLIES
Gold

Re: Roadwarrior and VPN access (2nd act)

i was thinking it may work providing you added the 172 net as part of the no-nat and crypto acls, and a static route on pix pointing to the 10.0.0.139 router for 172 net.

however, a second thought suggests that it may not be feasible as the pix will not forward the packets (from vpn client to 172 net) to the 10.0.0.139 router. the reason being the pix outside interface is directly connected to 172 net, thus the static route will not be considered.

e.g.

vpn client sends a packet with destionation 172 net. the pix receives the packet since 172 net has been included as part of the no-nat and crypto acls for remote vpn access. pix will then decrypts the packet and try to determine the next hop. since pix outside interface is part of 172 net, pix will not send the packet to the 10.0.0.139 router. so again, base of the rule that pix will not re-route the traffic back to the same interface, this solution will probably fail.

one workaround i can think of is to configure remote vpn access on the router. since the router doesn't have the restriction like pix (i.e. packet from an interface will not be routed back to the same interface), it should work. one catch is that the pix will then need to perform 1-to-1 nat for the router, so that remote vpn client can reach the router from outside world in order to establish vpn tunnel.

New Member

Re: Roadwarrior and VPN access (2nd act)

Thanks again jackko!

I was thinkin' about this:

the roadwarriors (let's say 10.0.9.x) can reach the router 10.0.0.139.

Is it possibile to tell the router: well, everything from 10.0.9.x put into the 172?

Ummm...maybe not because the router is connected to pix as well... I don't know.

However...with the OS v.7 I can tell the pix to re-route the packet to 172 right?

It's seems the easiest solution...

edit: another thing: is it possibile in the router to define vpngroup as in the pix?

In the pix it was really simple:

vpngroup test address-pool mypool

vpngroup test idle-time 1800

vpngroup test password mypass

Gold

Re: Roadwarrior and VPN access (2nd act)

"Is it possibile to tell the router: well, everything from 10.0.9.x put into the 172? Ummm...maybe not because the router is connected to pix as well... I don't know." i guess it's not possible, please read the example from my previous post.

i would say configuring remote vpn access on the router is probably the way as long as the router supports ipsec, the config is very straight forward too. as mentioned, with this scenario, a 1-to-1 nat needs to be configured on the pix for the router, so that the remote vpn client can establish the vpn.

Gold

Re: Roadwarrior and VPN access (2nd act)

please feel free to discuss the remote vpn access configuration on the router.

133
Views
5
Helpful
4
Replies
CreatePlease to create content