I have an established VPN site to site between a PIX 501 at the remote end, and a 515e at the main site. Subnets are 192.168.50.x at the remote site, 192.168.44.0 (255.255.254.0 mask at main site end) which is working properly.
I can, with persistent routes on systems at each end, see the needed addresses on the 44/45 subnet from 50, and the 50 subnet from 44/45, and traffic moves appropriately.
At the main end I now have added a 192.168.53.x subnet, with a router at 192.168.44.24 to handle it, and from the pix at 192.168.45.1 I can see addresses on this subnet.
What I am trying to do is to get a route esablished from the pix at 192.168.50.1 so that addresses on the 192.168.50.x subnet can see the 53.x subnet addresses (So I can place some VoIP phones at the remote site to connect to the PBX here, which is using the 53.x subnet.
I can ping addresses from the pix at the main site (45.1) on the 53.x subnet, and I can ping the 44.24 address of the router to the 53.x subnet from addresses on 50.x subnet.
I know I am missing a route from the 50.x subnet to find the next hop, but I cannot seem to determine where it goes from here. I would assume the 50.1 pix should have a route to 53.x with a gateway address of 50.1, and that would pass to the 45.1 pix, which has a route to the 44.24 as a gateway to 53.x, but I can't seem to make that work.
So, what am I missing, or am I missing the boat entirely on the process? I am good enough with tcp routing to understand the answer, but not quite good enough to spot it apparently.
first of all, routes are not enough. On the pix, you must change the access list for VPN (NAT 0) so that the .53 subnet is allowed to exchange crypted traffic with the .50 subnet.
Then PIXes don;t really pass routes to each others. They can do very simple rip or ospf, but perhaps is not worth for you do that yet. Basically, the route to .53 on pix 50.1 is just like the one to .44. Viceversa on the other pix.
Then, the router will need a route to .50 via 45.1
I think that has me closer to it, but I am not quite there yet.
the 192.168.53.x network has been added to the acl at both ends to allow it to pass traffic from the 501 pix at the 50.x network end to the 515 pix at the 44.x end. A route is added on the 501 pix to take 53.x and route it to 45.1, and on 45.1 to route to 44.24 for the 53.x subnet.
At the 515pix, 45.1, I can ping (inside) the 50.1, 50.3 (a host beyond the pix for testing) , 44.24 (router to the 53 net), and 53.1 (host on 53 subnet) with no problems.
At the 501 pix, 50.1 , I can ping 50.3, 45.1 (515 pix), 44.24, but not the 53.1
I'm still missing something, but I just haven't found it.
Hi everyone, I would like to thank you in advance for any help you can provide a newcomer like myself!
Im studying the 100-105 book by Odom and am currently on the topic of Port security. I purchased a used 2960 and I'm trying to follow a...
While deploying a number of 18xx/2802/3802 model access points (APs), which run AP-COS as their operating platform. It can be observed on some occasions that while many of their access points were able to join the fabric WLC withou...
I am going to design and build an LAN network under a tunnel underground with long distance between the switches.
I will have 2 Catalyst switches and 8 Industrial IE3000, and they will be connected with fiber.
For now I am planning on use Layer-2 s...