Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
885
Views
5
Helpful
8
Replies

VPN Tunnel with remote source network

yasaman64
Level 1
Level 1

‎08-07-2012 01:14 PM

                   Hi Everyone,

I've been working with VPN for sometime now but I got confused over this senario, can anyone help me on this?

i have a firewall and a router behind the firewall is going to route all IP addresses from subnet 10.2.2.0 destined fro 10.3.3.0 to my firewall so i can create a tunnel to a remote site with the intresting traffic of

local : 10.2.2.0 and remote: 10.3.3.0. but the thing is 10.2.2.0 is not local to my firewall and my firewall's inside IP address is 10.10.10.1.

so my question is is this doable or not and if not what whould be the solution for it?

Than you so much.

Labels:
0 Helpful
8 Replies 8

Karsten Iwen
VIP
VIP

‎08-07-2012 02:26 PM

The "interesting traffic" for the VPN doesn't have to be locally connected to the VPN-gateway. In fact, if you have a clean network-design it nearly never is. From the firewall you have a transfer-nertwork to a L3-switch where your user-networks are connected. For the vpn-gateway these user-networks are all reachable through the L3-switch. But the traffic for these networks can be protected by the vpn-gateway without any problems.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

yasaman64
Level 1
Level 1
In response to Karsten Iwen

‎08-08-2012 05:30 AM

Thanks Karsten, so I dont have to have a sub interface on my firewall in the subnet of my user-network? just define the interesting -traffic from 10.2.2.0 to 10.3.3.0?

0 Helpful

Karsten Iwen
VIP
VIP
In response to yasaman64

‎08-08-2012 07:01 AM

That's right. The rest is done by pure routing to and from your VPN-gateway.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful

yasaman64
Level 1
Level 1
In response to Karsten Iwen

‎08-08-2012 07:17 AM

the router in my firewall lan is going to route the packets destined for remote network(10.3.3.0) to my firewall. do i need a route on my firewall to route the 10.3.3.0 destined packets to WAN default Gateway?(although i have a vpn tunnel for that?)

0 Helpful

Karsten Iwen
VIP
VIP
In response to yasaman64

‎08-08-2012 07:24 AM

Yes, without a route for the remote-network, the packets wouldn't get to the outside-interface where the crypto-map is waiting for the packets to protect them.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful

yasaman64
Level 1
Level 1
In response to Karsten Iwen

‎08-08-2012 07:27 AM

No crypto map in on my firewall, what i am saying is do i need a route on my firewall to the remote protected network to go through the default wan gateway?

0 Helpful

Karsten Iwen
VIP
VIP
In response to yasaman64

‎08-08-2012 07:33 AM

Yes, you need a route. But what device are you talking about if you don't have a crypto-map?

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful

yasaman64
Level 1
Level 1
In response to Karsten Iwen

‎08-08-2012 07:35 AM

I have crypto map on my firewall, so i think i get it now, i need a route on my firewall which my crypto map in on to the remote network which is the destination for interesting traffic.

thank you so much Karsten

0 Helpful
Customers Also Viewed These Support Documents