routing issue

Here are the situation:
MS VPN client-------------------Win VPN server + LAN----------------Win router + Lab LAN

Local IP           VPN server      router

VPN IP 192.168.254.x            LAN      Lab

2. VPN clients can ping 10 LAN and 10 LAN can ping Lab LAN.
What I want to do is ping Lab LAN from VPN client. So, what I may do is using route command to modify the routing table. However, when I do route add mask, I receive this message: "The route addition failed: Either the interface index is wrong or the gateway does not lie on the same network as the interface. Check the IP Address Table for the machine".
Any suggestions?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

On your PC, add a route like this:
  route add mask 192.168.254.x <=your own VPN IP here

Else, choose Network properites of your VPN client, TCP/IP, check the box [] Use default gateway on remote network
smith9069Author Commented:
Thank you for the help.

Aftre added route add mask, the routing table looks like this:

Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
    x.x.x.x       40       1       1       40       40       40       50       50       40       1       1       1
Default Gateway:

and pathping looks like this.

Tracing route to over a maximum of 30 hops

  0  attbilap []
  1     *        *        *
Computing statistics for 25 seconds...
            Source to Here   This Node/Link
Hop  RTT    Lost/Sent = Pct  Lost/Sent = Pct  Address
  0                                           attbi1073 []
                              100/ 100 =100%   |
  1  ---     100/ 100 =100%     0/ 100 =  0%  attbi1073 []

I believe I need to add a route on the VPN server to point to the 172.16.100.x LAN but I don't have right to do so. Can I modify my vpn client routing table to access the 172 LAN without changing the routing table on the VPN server?
your final comment is absolutely true. It must be done on the server. There is nothing you can do on the client end.
Cloud Class® Course: CompTIA Healthcare IT Tech

This course will help prep you to earn the CompTIA Healthcare IT Technician certification showing that you have the knowledge and skills needed to succeed in installing, managing, and troubleshooting IT systems in medical and clinical settings.

smith9069Author Commented:
I got OK to make the change. This is Cisco PIX 515 firewall as VPN. I added route inside 1 and hope any inside users with 10 ip and VPN users with 192 ip can access te 172 LAN. But that doesn't work even inside. If I pathping from my computer, it doesn't pass through the router (see below). Do you miss some things?


Tracing route to over a maximum of 30 hops

  0  pc801 []
  1  ...
Since you are using PIX as the VPN server, there are several things that can be the problem. I would have to see the complete PIX config, but generally there needs to be an access-list entry the defines traffic from the subnet and the subnet to the VPN client addresses, something like this:
  access-list nat_0 permit ip
  access-list nat_0 permit ip
  nat (inside) 0 access-list nat_0

smith9069Author Commented:
1. the line you posted is "access-list nat_0 permit ip".
Should "" be

2. We have the following lines.
access-list 101 permit ip
access-list 101 permit ip

nat (inside) 0 access-list 101
nat (inside) 1 0 0

should I just add this line for the VPN user: access-list nat_0 permit ip
and this line for the LAN users: access-list nat_0 permit ip
Try just adding this to access-list 101:
  access-list 101 permit ip

If you can ping from the PIX to the 172.16.100.x host, this should work for you.

one other place to check the PIX config is in the VPNGROUP settings, look for
vpngroup <GROUP> split-tunnel <access-list>

The same entry will need to be added to the split-tunnel acl if there is one.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
smith9069Author Commented:
Hello Irmoore,

Yes, after added "access-list 101 permit ip", the VPN users can ping 172.16.100.x.

For the 10 LAN users, I always do "route add mask" on their workstations and it works. But when I added "access-list 101 permit ip" that doesn't work for the 10 LAN user. Why?
Because it is a rule that defines traffic between the local LAN and the VPN clients that have a ip address. It has no affect on routing traffic. The PIX can't re-route local workstations, and that is by design.
smith9069Author Commented:

I accepted your answer and thank you for the help.

However, can you think any way to make the computer in the LAN (10 ip) can access the 172 LAN without changing the routing table manually on the worstation? in other words, is the place to modify routing table so that all computers in the 10 LAN access the 172 LAN?
The only solution would be to make the WinRouter the default gateway for the clients, with IT pointing to the PIX as it's default.

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Networking

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.