see attached image of network diagram.
i have been trying to figure something out for quite some time now and i feel like after 15 hours it is time to seek some advice as to what i am missing.
i have a pix 525 with ios 8.0.4 on it. i am trying to make what i believe to be one of the most basic uses of this device. i want to to setup a vpn at my house.
once i introduce the vpn, things start getting whacky and i have some basic questions. i have gone and one a full factory reset with the following.
erase configuration in flash memory: yes
proceed with reload [confirm]: yes
#answer yes with y enter
Preconfigure firewall now through interactive prompts: [yes]: hit enter key
Firewall Mode [Routed]: hit enter key or [tranparent] to configure the other way
enable password [password]..................pick one between 's
allow password recovery: enter y enter
year enter 2013
inside ip 10.1.1.2
net mask 255.0.0.0
ip of host running device manager: just hit enter
with this basic default reset on the vpn and the outside port unplugged and a ethernet cable going from the comcast modem to the netgear router, i can successfully ping the router, and all member servers on the inside port, as well as get on the internet. this seems logical and correct to me.
my problems all start when i disconnect the ethernet cable from the modem which goes to the data port on the router and try to use the outside port as diagramed in the picture. my questions are pretty simple i think:
1) the inside port can go to either a switch port or the data port on the router correct?
when it is hooked it to the switch port on the router i can ping all member server host names and ips correctly but i can't ping any hosts or ips on the internet. it does resolve the host name to the ip properly, when i hook it to the data port i am not able to ping anything. for now it appears work on the switch port just fine so no big deal. im simply looking for clarification or reasons why one would use one over the other, unless i am way off on everything.
2) the outside port on the vpn should connect up to the comcast modem ethernet jack correct? when i configure an outside interface, such as 188.8.131.52 i am able to ping the outside interface from the 525 but not anything from the internet. my member servers are not able to ping the 184.108.40.206 ip address. what should i chose as the ip, netmask and gateway on the outside interface and how to i make this all work?
3) how do i make the routes between them that function. i think i need some clarity around this as well. the help on the device uses the word foriegn network and we are using terms like inside and outside. im not sure which is foriegn to what basically. a good working, simple example like this will do wonders for my understanding on routes between subnets.
1. Your netgear will probably do Some NAT (adres translation).
2. Your netgear wants to route.
3 Above Means the netgear needs TWO adresses, one one ach interface.
To do routing you need to make your network smaller.
Change 255.0.0.0 on the local network to 255.255.255.0 or so.
If not the netgear may think ALL 10.1.1.x hosts are on the same interface and will not forward to the other port (to the 525)
Use something like 10.1.2.1 255.255.255.252 and 10.1.2.2 for the interconnect between netgear and 525
The 525 has no dhcp service active? so the netgear probably gets no ip iddress when the port is connected to the 525.
Manually configure an adress in a different subiet than the 10.1.1.x hosts on the connecting interface.
Sent from Cisco Technical Support iPad App
i set the outide port to dhcp set route that has solved part of my problem.
now the outside interface can ping outbound and the inside interface can ping inside.
my only problem at this point is that my inside interface can't ping any outside interface. and get a response. it can however ping the outside interface ip.
once i can get this i can leave the device plugged in inline and work on the actual vpn access to it. its quite a pain right now that i have to keep changing the wiring just to get on the internet.
based on the configuration....this leads me to believe that the outside ip address id blocking icmp traffic back inward. am i correct in assuming this and how can i bridge the inside interface to the outside?
I repeat, your problem lies in your subnet mask.
because of the mask 255.0.0.0 the netgear thinks that ALL nodes from 10.1.1.1 to 10.255.255.254 are reachable using interface 10.1.1.1, and won't route packets to the other port.
Only packets received from the pix on the connecting port, will be answered on the same port.
-> you need to split the network
like 10.1.1.1 - 10.1.255.254 mask 255.255.0.0 on the inside network
and 10.1.2.1 - 10.1.2.254 mask 255.255.255.0 (or 10.1.2.1 - 10.1.2.2 mask 255.255.255.252) between the netgear router and the pix.
i have since changed something and made some slight progress. on the outside interface i am using ip address dhcp setroute which is pulling an ip from the cable modem/provider.
the outside interface can now ping out and the inside interface can ping inward.
the ip of the outside interface is now 24.x.x.26
while you are saying to change my netmask shouldn't i be able to specify a route between the two networks and not have to re subnet the entire lan to make this work?
technically you could be able to solve this with static routes.
But then you need multiple static routes both on the 525 and on the netgear.
this is not common practice.
AS the 10.1.1.1 /255.0.0.0 network is reachable on bothe interfaces of the netgear, you need to specify for each host wich interface to use (a seperate static route)
And must let the 525 know, it cannot reach 10.1.1.3 (and all other host) directy, but add a static route to sent packets for 10.1.1.3 to 10.1.1.1
As you cannot group all nodes into a common subnet, you must specify this for all nodes connected to the boxes separately this adds a lot of static routes.
normally you configure the network in a hierarchical order; in subnets each with a default gateway.
this default gateway has also it's own default gateway (mostly the next-hop to the rest of the network).
In this setup the devices connected to box 1, 2, 3 have the netgear as default gateway
and the netgear has the 525 as default gateway.
then on the 525 you add only a single static route to send packets for 10.1.1.1 - 10.1.1.254 to the netgear (10.1.2.1)
and the netgear knows 10.1.1.x is on one interface and 10.1.2.x on the other. and send all the rest to the 525.
Ok. Im getting a little confused. Sorry for not understading everything.
I think your post is with my original picture, which has changed some. I have attached an updated image. The cisco outside port is now on a totally different class A network. so there should be no confusion about the routing there right? and the subnetting should now no longer matter?
Shouldn't nat or pat or some sort of dynamic static route work without adding a route for each host?
To me it seems like i just need a rule to allow traffic to pass freely between to seperate networks, the outside one and the inside one? Again, the outside interface can ping and use everything outside and the inside network can ping and use everything inside
problem solved....ok. resolved is a better word.
the netgear router was moved to a full blown switch port, rather than between the vpn and the switch.
eliminated the dhcp/dns domain controller server and made the pix do all of that.
turned everything off and turned it all back on again and stepped through the setup....outside interface got a 68.x.x.x address.
added a couple things to my config file to allow the pings through and now the device sits in line with inbound and outbound traffic flowing nicely.
i will make one nice "home setup post at the end"
my new question is how to allow split and forced tunnel vpn remote access. i will open it under a new thread.