I have a network on a remotely connected WAN that I wish to allow access to from a IPSEC VPN session (Cisco client)
Network looks a little bit like this
Internet -- Outside Router -- PIX Firewall -- Inside Router -- MPLS -- Router - Remote Network
My VPN currently works fine to the inside router, however i am unable to access the remote network. When I do a tracert on the remote network I can see that it's not attempting to route it through thte connection, instead its trying to route it via the internet.
I'd post my PIX configuration here except that it's completely massive and may be more than your interested in seeing. How do I go about getting the traffic to route to this remote network?
As a side note, I have included a route inside x.x.x.x statement on the PIX for this remote network.
Thanks
This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.
Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.
If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.
Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.
Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.
Access the answers to your technology questions today.
30-day free trial. Register in 60 seconds.
Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.
Try it out and discover for yourself.
30-day free trial. Register in 60 seconds.
Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.
1)Adding the static is fine, but once you connect via the vpn, do a "route print" (windows) or "netstat -rn"(if linux/unix)in your desktop to see if the remote network appears in your routing table or not. If not, then you have to advertise it first so that it comes to your desktop routing table first.
2)Does the remote MPLS segment have route towards your vpn IP?
Hi,
It seems you want to use hairpinning?
http://www.petenetlive.com
Did you configured on nonat statement the VPN client traffic to remote network, and is the remote network routers konow the CPN cilents network addess?
I've attached a partial configuration that should give you all what you're looking for.
access-list 100 extended permit ip 172.16.100.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list 100 extended permit ip 172.16.100.0 255.255.255.0 172.16.104.0 255.255.255.0
access-list 100 extended permit ip 172.16.225.0 255.255.255.0 172.16.105.0 255.255.255.0
access-list 100 extended permit ip 172.16.100.0 255.255.255.0 172.16.105.0 255.255.255.0
access-list 100 extended permit ip 172.16.101.0 255.255.255.0 172.16.105.0 255.255.255.0
access-list 100 extended permit ip 172.16.102.0 255.255.255.0 172.16.105.0 255.255.255.0
access-list 100 extended permit ip 172.16.103.0 255.255.255.0 172.16.105.0 255.255.255.0
access-list 100 extended permit ip 172.16.106.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list 100 extended permit ip 172.16.225.0 255.255.255.0 172.16.102.0 255.255.255.0
access-list 100 extended permit ip 172.16.100.0 255.255.255.0 172.16.102.0 255.255.255.0
access-list 100 extended permit ip 172.16.101.0 255.255.255.0 172.16.102.0 255.255.255.0
access-list 100 extended permit ip 172.16.103.0 255.255.255.0 172.16.102.0 255.255.255.0
access-list 100 extended permit ip 172.16.107.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list 100 extended permit ip 172.16.200.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list 100 extended permit ip 172.16.102.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list 100 extended permit ip 172.16.225.0 255.255.255.0 172.16.108.0 255.255.255.0
access-list 100 extended permit ip 172.16.100.0 255.255.255.0 172.16.108.0 255.255.255.0
access-list 100 extended permit ip 172.16.225.0 255.255.255.0 172.16.101.0 255.255.255.0
access-list 100 extended permit ip 172.16.100.0 255.255.255.0 172.16.101.0 255.255.255.0
access-list 100 extended permit ip 172.16.102.0 255.255.255.0 172.16.101.0 255.255.255.0
access-list 100 extended permit ip 10.1.1.0 255.255.255.0 172.16.101.0 255.255.255.0
access-list 100 extended permit ip 172.16.100.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list 100 extended permit ip 172.16.106.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list 100 extended permit ip 172.16.107.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list 100 extended permit ip 172.16.200.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list 100 extended permit ip 172.16.102.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list 100 extended permit ip 10.10.10.0 255.255.255.0 172.16.101.0 255.255.255.0
access-list 100 extended permit ip 172.16.225.0 255.255.255.0 172.16.109.0 255.255.255.0
access-list 100 extended permit ip 172.16.100.0 255.255.255.0 172.16.109.0 255.255.255.0
access-list 100 extended permit ip 172.16.225.0 255.255.255.0 172.16.110.0 255.255.255.0
access-list 100 extended permit ip 172.16.100.0 255.255.255.0 172.16.110.0 255.255.255.0
access-list 100 extended permit ip 172.16.107.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list 100 extended permit ip 172.16.200.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list 100 extended permit ip 192.168.2.0 255.255.255.0 172.16.100.0 255.255.255.0
access-list 100 extended permit ip 192.168.2.0 255.255.255.0 172.16.107.0 255.255.255.0
access-list 100 extended permit ip 172.16.225.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list 100 extended permit ip 172.16.100.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list 100 extended permit ip 172.16.100.0 255.255.255.0 172.16.106.0 255.255.255.0
access-list 100 extended permit ip 172.16.225.0 255.255.255.0 172.16.106.0 255.255.255.0
access-list 100 extended permit ip 172.16.225.0 255.255.255.0 172.16.112.0 255.255.255.0
access-list 100 extended permit ip 172.16.100.0 255.255.255.0 172.16.112.0 255.255.255.0
access-list 100 extended permit ip 10.10.10.0 255.255.255.0 172.16.112.0 255.255.255.0
access-list 100 extended permit ip 192.168.2.0 255.255.255.0 172.16.112.0 255.255.255.0
access-list 100 extended permit ip 172.16.225.0 255.255.255.0 172.16.107.0 255.255.255.0
access-list 100 extended permit ip 172.16.100.0 255.255.255.0 172.16.107.0 255.255.255.0
access-list 100 extended permit ip 10.10.10.0 255.255.255.0 172.16.107.0 255.255.255.0
access-list 100 extended permit ip 172.16.100.0 255.255.255.0 172.16.111.0 255.255.255.0
access-list 100 extended permit ip 172.16.225.0 255.255.255.0 172.16.111.0 255.255.255.0
access-list 100 extended permit ip 172.16.100.0 255.255.255.0 206.195.31.0 255.255.255.0
access-list 100 extended permit ip 172.16.225.0 255.255.255.0 172.16.120.0 255.255.255.0
access-list 100 extended permit ip 172.16.100.0 255.255.255.0 172.16.120.0 255.255.255.0
access-list 100 extended permit ip 172.16.225.0 255.255.255.0 172.16.113.0 255.255.255.0
access-list 100 extended permit ip 172.16.100.0 255.255.255.0 172.16.113.0 255.255.255.0
access-list 100 extended permit ip 10.10.10.0 255.255.255.0 1.18.44.0 255.255.255.0
access-list 100 extended permit ip 1.18.44.0 255.255.255.0 10.10.10.0 255.255.255.0 (this is the new remote network I'm trying to access)
global (outside2) 1 interface
nat (inside) 0 access-list 100
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 65.xxx.xxx.1 1
route inside 1.18.44.0 255.255.255.0 172.16.225.1 1 (new network trying to route to)
route inside 172.16.100.0 255.255.255.0 172.16.225.1 1 (this network works correctly via VPN)
route inside 172.16.103.0 255.255.255.0 172.16.225.1 1
To answer other questions.
1.) Hairpining uses the same interface, in this case I'm routing from the outside -- inside although I do already have hairpining enabled for other purposes.
2.) MPLS routes via BGP and the new network is advertised, default route for the VPN network points back to the BGP host router, which in turns routes 0.0.0.0 to the PIX
I'm aware that it's not in a private range, a vendor created this address on some process control equipment and I'm stuck with it. 1.18.x.x actually dosen't route anywhere on the internet, so using it shouldn't cause much harm.
Regardless I still need to find a way to connect to this address via VPN.
I am going to have to reiterate:
1.18.44.0 - is NOT a private IP address
Which I believe will cause you problems.
However, we can troubleshoot:
If you connect the Cisco VPN client on a PC and then do a "Route Print" in command prompt. See if there is a line that reads:
1.18.44.0 255.255.255.0 10.10.10.x 10.10.10.1 100
This shows that the PIX has added the correct route to the client, if not the PC will try to connect through the interent which I believe is what you are describing here:
"When I do a tracert on the remote network I can see that it's not attempting to route it through thte connection, instead its trying to route it via the internet."
Business Accounts
Answer for Membership
by: ccie22921Posted on 2009-09-28 at 06:14:23ID: 25439013
It would help to see the PIX configuration, but immediate insight might be given to the NAT statements that are relevant to your issue. More so, sounds like you need to include the VPN traffic in a "No-Nat" statement so that the VPN traffic is not natted. I understand it is large, but it would make troubleshooting somewhat easier.