• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 174
  • Last Modified:

Private class network to network VPN issue

Hi everyone!
So this may boil down to two actually distinct questions, let me know if I need to split them up.
Here's the first scenario:
I have a colocation that recently was set up in Washington. This colocation is set up on 100.100.16.0/24. Now in house we're also using a range of private ip addresses, which are 100.100.18.0/24. I have a Cisco 506E firewall set up at the head of our network with a VPN endpoint on it, with spilt tunneling enabled. Clients when they're VPN'd in are given 100.100.18.180 - 100.100.18.200 for the VPN pool. When I have someone VPN into our network from the colocation, the routing on their end (understandably) does not work at all. The issue is the client needs to be able to connect to machines here while at the same time also connecting to a server on that end. However, I don't know if my current network configuration would be valid with what's currently implemented. So that's question one: can two private network address ranges be VPN together like this?

Secondly, if they can't, I'd like to change the VPN pool to something completely off our network here, like 192.x.x.x. The problem I see is, how do I then route packets from the 100.100.18.0/24 network to and from the 192.x.x.x network?
0
kittensizedbulldozer
Asked:
kittensizedbulldozer
2 Solutions
 
lrmooreCommented:
If I understand you correctly, you have a VPN tunnel between you and the colo
You = 100.100.18.0/24
Colo = 100.100.16.0/24
No problems so far

VPN client users get 100.100.18.x IP  and can access your internal network just fine
VPN client cannot connect to your PIX and then tunnel through the "other" vpn to the colo?
That's a big 10-4, by design, and no amount of changing subnets will help.
0
 
magicommincCommented:
"So that's question one: can two private network address ranges be VPN together like this?"
--yes, but I would say that you will have a hard time to write a ACL to reflect your split tunnel: you need to allow 100.100.18.1-179 to access 10.10.18.180-200, I don't see a easy way to do that, I would suggest you go for the 192.x.x.x.
"Secondly, if they can't, I'd like to change the VPN pool to something completely off our network here, like 192.x.x.x. The problem I see is, how do I then route packets from the 100.100.18.0/24 network to and from the 192.x.x.x network?"
--at your 506E (assume you have 6.x version) you need to have a split-tunnel:
vpngroup vpnclient split-tunnel 90
access-list 90 permit ip 100.100.18.0 255.255.255.0 192.x.x.x 255.255.255.0
your VPN client (192.x.x.x) will know how to back to 100.100.18.0 by default, and pix will only send 192.x.x.x traffic through tunnel.
If you have other inside networks that your VPN clients need to access, you need to add "route inside <network> <router IP>" at your PIX and those networks also need to use pix inside interface as their route to 192.x.x.x network.
0
 
kittensizedbulldozerAuthor Commented:
Thank you guys it was a temporary set up for a demonstration at a show, so we're all set, and I'm (hopefully) a tad wiser now. Thanks for your input.
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now