?
Solved

routing issue

Posted on 2004-11-27
11
Medium Priority
?
242 Views
Last Modified: 2012-05-05
Here are the situation:
 
1.
 
MS VPN client-------------------Win VPN server + LAN----------------Win router + Lab LAN

Local IP 192.168.10.15           VPN server 192.168.254.1      router 10.0.100.2/172.16.100.1

VPN IP 192.168.254.x            LAN 10.0.0.0/255.255.0.0      Lab 172.16.100.0/255.255.255.0

 
2. VPN clients can ping 10 LAN and 10 LAN can ping Lab LAN.
 
What I want to do is ping Lab LAN from VPN client. So, what I may do is using route command to modify the routing table. However, when I do route add 172.16.100.0 mask 255.255.255.0 10.0.100.2, I receive this message: "The route addition failed: Either the interface index is wrong or the gateway does not lie on the same network as the interface. Check the IP Address Table for the machine".
 
Any suggestions?
 
0
Comment
Question by:smith9069
  • 6
  • 5
11 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 12690984
On your PC, add a route like this:
  route add 172.16.100.0 mask 255.255.255.0 192.168.254.x <=your own VPN IP here

Else, choose Network properites of your VPN client, TCP/IP, check the box [] Use default gateway on remote network
0
 
LVL 1

Author Comment

by:smith9069
ID: 12691654
Thank you for the help.

Aftre added route add 172.16.100.0 mask 255.255.255.0 192.168.254.2, the routing table looks like this:

Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0     192.168.10.1    192.168.10.7       41
          0.0.0.0          0.0.0.0    192.168.254.2   192.168.254.2       1
    x.x.x.x   255.255.255.255     192.168.10.1    192.168.10.7       40
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
     172.16.100.0    255.255.255.0    192.168.254.2   192.168.254.2       1
     192.168.10.0    255.255.255.0     192.168.10.7    192.168.10.7       40
     192.168.10.7  255.255.255.255        127.0.0.1       127.0.0.1       40
   192.168.10.255  255.255.255.255     192.168.10.7    192.168.10.7       40
    192.168.254.2  255.255.255.255        127.0.0.1       127.0.0.1       50
  192.168.254.255  255.255.255.255    192.168.254.2   192.168.254.2       50
        224.0.0.0        240.0.0.0     192.168.10.7    192.168.10.7       40
        224.0.0.0        240.0.0.0    192.168.254.2   192.168.254.2       1
  255.255.255.255  255.255.255.255     192.168.10.7    192.168.10.7       1
  255.255.255.255  255.255.255.255    192.168.254.2   192.168.254.2       1
Default Gateway:     192.168.254.2

and pathping looks like this.

Tracing route to 172.16.100.1 over a maximum of 30 hops

  0  attbilap [192.168.254.2]
  1     *        *        *
Computing statistics for 25 seconds...
            Source to Here   This Node/Link
Hop  RTT    Lost/Sent = Pct  Lost/Sent = Pct  Address
  0                                           attbi1073 [192.168.254.2]
                              100/ 100 =100%   |
  1  ---     100/ 100 =100%     0/ 100 =  0%  attbi1073 [0.0.0.0]
===========================================================================

I believe I need to add a route on the VPN server to point to the 172.16.100.x LAN but I don't have right to do so. Can I modify my vpn client routing table to access the 172 LAN without changing the routing table on the VPN server?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12691951
your final comment is absolutely true. It must be done on the server. There is nothing you can do on the client end.
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 
LVL 1

Author Comment

by:smith9069
ID: 12707438
I got OK to make the change. This is Cisco PIX 515 firewall as VPN. I added route inside 172.16.100.0 255.255.255.0 10.0.100.2 1 and hope any inside users with 10 ip and VPN users with 192 ip can access te 172 LAN. But that doesn't work even inside. If I pathping 172.16.100.1 from my computer 10.0.0.1, it doesn't pass through the router 10.0.100.2 (see below). Do you miss some things?

H:\>pathping 172.16.100.1

Tracing route to 172.16.100.1 over a maximum of 30 hops

  0  pc801 [10.0.0.11]
  1  ...
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12707925
Since you are using PIX as the VPN server, there are several things that can be the problem. I would have to see the complete PIX config, but generally there needs to be an access-list entry the defines traffic from the 10.0.0.0/24 subnet and the 172.16.100.0/24 subnet to the VPN client addresses, something like this:
  access-list nat_0 permit ip 10.0.0.0 255.255.255.0 192.168.254.0 255.255.255.0
  access-list nat_0 permit ip 172.16.100.1 255.255.255.0 192.168.254.0 255.255.255.0
  nat (inside) 0 access-list nat_0

0
 
LVL 1

Author Comment

by:smith9069
ID: 12711058
1. the line you posted is "access-list nat_0 permit ip 172.16.100.1 255.255.255.0 192.168.254.0 255.255.255.0".
Should "172.16.100.1" be 172.16.100.0?

2. We have the following lines.
access-list 101 permit ip 10.0.0.0 255.255.0.0 192.168.1.0 255.255.255.0
access-list 101 permit ip 10.0.0.0 255.255.0.0 192.168.254.0 255.255.255.0

nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0

should I just add this line for the VPN user: access-list nat_0 permit ip 172.16.100.0 255.255.255.0 192.168.254.0 255.255.255.0
and this line for the LAN users: access-list nat_0 permit ip 172.16.100.0 255.255.255.0 10.0.0.0 255.255.0.0?
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 600 total points
ID: 12711164
Try just adding this to access-list 101:
  access-list 101 permit ip 172.16.100.0 255.255.255.0 192.168.254.0 255.255.255.0

If you can ping from the PIX to the 172.16.100.x host, this should work for you.

one other place to check the PIX config is in the VPNGROUP settings, look for
vpngroup <GROUP> split-tunnel <access-list>

The same entry will need to be added to the split-tunnel acl if there is one.

0
 
LVL 1

Author Comment

by:smith9069
ID: 12720579
Hello Irmoore,

Yes, after added "access-list 101 permit ip 172.16.100.0 255.255.255.0 192.168.254.0 255.255.255.0", the VPN users can ping 172.16.100.x.

For the 10 LAN users, I always do "route add 172.16.100.0 mask 255.255.255.0 10.0.100.1" on their workstations and it works. But when I added "access-list 101 permit ip 172.16.100.0 255.255.255.0 10.0.0.0 255.255.0.0" that doesn't work for the 10 LAN user. Why?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12720999
Because it is a rule that defines traffic between the local LAN and the VPN clients that have a 10.0.0.0 ip address. It has no affect on routing traffic. The PIX can't re-route local workstations, and that is by design.
0
 
LVL 1

Author Comment

by:smith9069
ID: 12727730
lrmoore,

I accepted your answer and thank you for the help.

However, can you think any way to make the computer in the LAN (10 ip) can access the 172 LAN without changing the routing table manually on the worstation? in other words, is the place to modify routing table so that all computers in the 10 LAN access the 172 LAN?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12727788
The only solution would be to make the WinRouter the default gateway for the clients, with IT pointing to the PIX as it's default.

Thanks!
0

Featured Post

Veeam Disaster Recovery in Microsoft Azure

Veeam PN for Microsoft Azure is a FREE solution designed to simplify and automate the setup of a DR site in Microsoft Azure using lightweight software-defined networking. It reduces the complexity of VPN deployments and is designed for businesses of ALL sizes.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I'm a big fan of Windows' offline folder caching and have used it on my laptops for over a decade.  One thing I don't like about it, however, is how difficult Microsoft has made it for the cache to be moved out of the Windows folder.  Here's how to …
An article on effective troubleshooting
this video summaries big data hadoop online training demo (http://onlineitguru.com/big-data-hadoop-online-training-placement.html) , and covers basics in big data hadoop .
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question