smith9069
asked on
routing issue
Here are the situation:
1.
MS VPN client-------------------W
Local IP 192.168.10.15 VPN server 192.168.254.1 router 10.0.100.2/172.16.100.1
VPN IP 192.168.254.x LAN 10.0.0.0/255.255.0.0 Lab 172.16.100.0/255.255.255.0
2. VPN clients can ping 10 LAN and 10 LAN can ping Lab LAN.
What I want to do is ping Lab LAN from VPN client. So, what I may do is using route command to modify the routing table. However, when I do route add 172.16.100.0 mask 255.255.255.0 10.0.100.2, I receive this message: "The route addition failed: Either the interface index is wrong or the gateway does not lie on the same network as the interface. Check the IP Address Table for the machine".
Any suggestions?
1.
MS VPN client-------------------W
Local IP 192.168.10.15 VPN server 192.168.254.1 router 10.0.100.2/172.16.100.1
VPN IP 192.168.254.x LAN 10.0.0.0/255.255.0.0 Lab 172.16.100.0/255.255.255.0
2. VPN clients can ping 10 LAN and 10 LAN can ping Lab LAN.
What I want to do is ping Lab LAN from VPN client. So, what I may do is using route command to modify the routing table. However, when I do route add 172.16.100.0 mask 255.255.255.0 10.0.100.2, I receive this message: "The route addition failed: Either the interface index is wrong or the gateway does not lie on the same network as the interface. Check the IP Address Table for the machine".
Any suggestions?
ASKER
Thank you for the help.
Aftre added route add 172.16.100.0 mask 255.255.255.0 192.168.254.2, the routing table looks like this:
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.10.1 192.168.10.7 41
0.0.0.0 0.0.0.0 192.168.254.2 192.168.254.2 1
x.x.x.x 255.255.255.255 192.168.10.1 192.168.10.7 40
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
172.16.100.0 255.255.255.0 192.168.254.2 192.168.254.2 1
192.168.10.0 255.255.255.0 192.168.10.7 192.168.10.7 40
192.168.10.7 255.255.255.255 127.0.0.1 127.0.0.1 40
192.168.10.255 255.255.255.255 192.168.10.7 192.168.10.7 40
192.168.254.2 255.255.255.255 127.0.0.1 127.0.0.1 50
192.168.254.255 255.255.255.255 192.168.254.2 192.168.254.2 50
224.0.0.0 240.0.0.0 192.168.10.7 192.168.10.7 40
224.0.0.0 240.0.0.0 192.168.254.2 192.168.254.2 1
255.255.255.255 255.255.255.255 192.168.10.7 192.168.10.7 1
255.255.255.255 255.255.255.255 192.168.254.2 192.168.254.2 1
Default Gateway: 192.168.254.2
and pathping looks like this.
Tracing route to 172.16.100.1 over a maximum of 30 hops
0 attbilap [192.168.254.2]
1 * * *
Computing statistics for 25 seconds...
Source to Here This Node/Link
Hop RTT Lost/Sent = Pct Lost/Sent = Pct Address
0 attbi1073 [192.168.254.2]
100/ 100 =100% |
1 --- 100/ 100 =100% 0/ 100 = 0% attbi1073 [0.0.0.0]
==========================
I believe I need to add a route on the VPN server to point to the 172.16.100.x LAN but I don't have right to do so. Can I modify my vpn client routing table to access the 172 LAN without changing the routing table on the VPN server?
Aftre added route add 172.16.100.0 mask 255.255.255.0 192.168.254.2, the routing table looks like this:
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.10.1 192.168.10.7 41
0.0.0.0 0.0.0.0 192.168.254.2 192.168.254.2 1
x.x.x.x 255.255.255.255 192.168.10.1 192.168.10.7 40
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
172.16.100.0 255.255.255.0 192.168.254.2 192.168.254.2 1
192.168.10.0 255.255.255.0 192.168.10.7 192.168.10.7 40
192.168.10.7 255.255.255.255 127.0.0.1 127.0.0.1 40
192.168.10.255 255.255.255.255 192.168.10.7 192.168.10.7 40
192.168.254.2 255.255.255.255 127.0.0.1 127.0.0.1 50
192.168.254.255 255.255.255.255 192.168.254.2 192.168.254.2 50
224.0.0.0 240.0.0.0 192.168.10.7 192.168.10.7 40
224.0.0.0 240.0.0.0 192.168.254.2 192.168.254.2 1
255.255.255.255 255.255.255.255 192.168.10.7 192.168.10.7 1
255.255.255.255 255.255.255.255 192.168.254.2 192.168.254.2 1
Default Gateway: 192.168.254.2
and pathping looks like this.
Tracing route to 172.16.100.1 over a maximum of 30 hops
0 attbilap [192.168.254.2]
1 * * *
Computing statistics for 25 seconds...
Source to Here This Node/Link
Hop RTT Lost/Sent = Pct Lost/Sent = Pct Address
0 attbi1073 [192.168.254.2]
100/ 100 =100% |
1 --- 100/ 100 =100% 0/ 100 = 0% attbi1073 [0.0.0.0]
==========================
I believe I need to add a route on the VPN server to point to the 172.16.100.x LAN but I don't have right to do so. Can I modify my vpn client routing table to access the 172 LAN without changing the routing table on the VPN server?
your final comment is absolutely true. It must be done on the server. There is nothing you can do on the client end.
ASKER
I got OK to make the change. This is Cisco PIX 515 firewall as VPN. I added route inside 172.16.100.0 255.255.255.0 10.0.100.2 1 and hope any inside users with 10 ip and VPN users with 192 ip can access te 172 LAN. But that doesn't work even inside. If I pathping 172.16.100.1 from my computer 10.0.0.1, it doesn't pass through the router 10.0.100.2 (see below). Do you miss some things?
H:\>pathping 172.16.100.1
Tracing route to 172.16.100.1 over a maximum of 30 hops
0 pc801 [10.0.0.11]
1 ...
H:\>pathping 172.16.100.1
Tracing route to 172.16.100.1 over a maximum of 30 hops
0 pc801 [10.0.0.11]
1 ...
Since you are using PIX as the VPN server, there are several things that can be the problem. I would have to see the complete PIX config, but generally there needs to be an access-list entry the defines traffic from the 10.0.0.0/24 subnet and the 172.16.100.0/24 subnet to the VPN client addresses, something like this:
access-list nat_0 permit ip 10.0.0.0 255.255.255.0 192.168.254.0 255.255.255.0
access-list nat_0 permit ip 172.16.100.1 255.255.255.0 192.168.254.0 255.255.255.0
nat (inside) 0 access-list nat_0
access-list nat_0 permit ip 10.0.0.0 255.255.255.0 192.168.254.0 255.255.255.0
access-list nat_0 permit ip 172.16.100.1 255.255.255.0 192.168.254.0 255.255.255.0
nat (inside) 0 access-list nat_0
ASKER
1. the line you posted is "access-list nat_0 permit ip 172.16.100.1 255.255.255.0 192.168.254.0 255.255.255.0".
Should "172.16.100.1" be 172.16.100.0?
2. We have the following lines.
access-list 101 permit ip 10.0.0.0 255.255.0.0 192.168.1.0 255.255.255.0
access-list 101 permit ip 10.0.0.0 255.255.0.0 192.168.254.0 255.255.255.0
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
should I just add this line for the VPN user: access-list nat_0 permit ip 172.16.100.0 255.255.255.0 192.168.254.0 255.255.255.0
and this line for the LAN users: access-list nat_0 permit ip 172.16.100.0 255.255.255.0 10.0.0.0 255.255.0.0?
Should "172.16.100.1" be 172.16.100.0?
2. We have the following lines.
access-list 101 permit ip 10.0.0.0 255.255.0.0 192.168.1.0 255.255.255.0
access-list 101 permit ip 10.0.0.0 255.255.0.0 192.168.254.0 255.255.255.0
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
should I just add this line for the VPN user: access-list nat_0 permit ip 172.16.100.0 255.255.255.0 192.168.254.0 255.255.255.0
and this line for the LAN users: access-list nat_0 permit ip 172.16.100.0 255.255.255.0 10.0.0.0 255.255.0.0?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hello Irmoore,
Yes, after added "access-list 101 permit ip 172.16.100.0 255.255.255.0 192.168.254.0 255.255.255.0", the VPN users can ping 172.16.100.x.
For the 10 LAN users, I always do "route add 172.16.100.0 mask 255.255.255.0 10.0.100.1" on their workstations and it works. But when I added "access-list 101 permit ip 172.16.100.0 255.255.255.0 10.0.0.0 255.255.0.0" that doesn't work for the 10 LAN user. Why?
Yes, after added "access-list 101 permit ip 172.16.100.0 255.255.255.0 192.168.254.0 255.255.255.0", the VPN users can ping 172.16.100.x.
For the 10 LAN users, I always do "route add 172.16.100.0 mask 255.255.255.0 10.0.100.1" on their workstations and it works. But when I added "access-list 101 permit ip 172.16.100.0 255.255.255.0 10.0.0.0 255.255.0.0" that doesn't work for the 10 LAN user. Why?
Because it is a rule that defines traffic between the local LAN and the VPN clients that have a 10.0.0.0 ip address. It has no affect on routing traffic. The PIX can't re-route local workstations, and that is by design.
ASKER
lrmoore,
I accepted your answer and thank you for the help.
However, can you think any way to make the computer in the LAN (10 ip) can access the 172 LAN without changing the routing table manually on the worstation? in other words, is the place to modify routing table so that all computers in the 10 LAN access the 172 LAN?
I accepted your answer and thank you for the help.
However, can you think any way to make the computer in the LAN (10 ip) can access the 172 LAN without changing the routing table manually on the worstation? in other words, is the place to modify routing table so that all computers in the 10 LAN access the 172 LAN?
The only solution would be to make the WinRouter the default gateway for the clients, with IT pointing to the PIX as it's default.
Thanks!
Thanks!
route add 172.16.100.0 mask 255.255.255.0 192.168.254.x <=your own VPN IP here
Else, choose Network properites of your VPN client, TCP/IP, check the box [] Use default gateway on remote network