?
Solved

How to configure a static route

Posted on 2006-05-25
34
Medium Priority
?
637 Views
Last Modified: 2010-04-12
Hello Experts.

I am having the same problem again. I have two locations: the main office and a colocation site.  I included one static route in the Firewall and this is what happen:

- Firewall has VPN capabilities (515)
- User can connect to the office using VPN and gain access to all resources including colocation servers
- The Colocation Servers DO NOT communication with the office AT ALL (Ping, telnet, email, nothing).

If I remove the static route:

- Colocation servers communicate perfectly with the office
- VPN users can not gain access remotely to the colocation site.

How do I solve this issue ?

RG
0
Comment
Question by:rgomez101
  • 22
  • 4
  • 4
  • +1
33 Comments
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16762881
What is the IOS version on the 515?
If you are on version 7, then I'll leave this for someone else

However, a santised config will be helpful to anyone who deals with this.
0
 

Author Comment

by:rgomez101
ID: 16762950

Cisco PIX Firewall Version 6.3(3)
Cisco PIX Device Manager Version 3.0(1)

pixfirewall up 60 days 2 hours

Hardware:   PIX-515E, 32 MB RAM, CPU Pentium II 433 MHz
Flash E28F128J3 @ 0x300, 16MB
BIOS Flash AM29F400B @ 0xfffd8000, 32KB

Do you have any idea why this static route stops my traffic ?  I will prepare a sanitize config of the firewall for you.

RG
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16762964
Got an idea but need the config.

If the traffic goes one way with the route and another way without the route, we need to split off the two traffic streams so they can individually go where they need to.
0
Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

 

Author Comment

by:rgomez101
ID: 16763197
THAT is exactly what's happening.   If I see the logs, whenever I try to ping from the colocation servers it says:

"no route for ColocationIPAddress"

Following this note is the config.

RG
0
 

Author Comment

by:rgomez101
ID: 16763198
This is the config:

Building configuration...
: Saved
:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ security4
enable password KA encrypted
passwd 2F encrypted
hostname pixfirewall
domain-name lo.com
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 10.13.1.201 gosling
name 10.13.1.200 dawson
name 10.13.1.210 qa-server
name 10.4.1.0 peer1
name 10.13.1.204 Discovery1
name 10.13.1.205 Discovery2
name 207.46.0.0 MSNMessnger
name 10.13.1.242 JCarrey
name 10.0.1.105 bentley
name 10.13.1.238 Shania
name 10.13.1.206 TerryFox
name 10.13.1.207 loblaws
name 69.90.40.0 Peer1
name 208.97.92.152 DMZ
name 10.13.1.239 FreeRunner
name 10.13.1.234 Mandana
name 10.0.6.0 DenverSide
object-group service mail-web-services tcp
  description http + https + smtp + ftp
  port-object eq www
  port-object eq https
  port-object eq smtp
  port-object eq ftp
access-list inside_access_in remark allow dawson http out
access-list inside_access_in permit tcp host dawson any eq www
access-list inside_access_in permit tcp host dawson any eq https
access-list inside_access_in remark Allow Dawson to use FTP traffic
access-list inside_access_in permit tcp host dawson any eq ftp
access-list inside_access_in remark Deny Port FTP (21) for everybody
access-list inside_access_in permit tcp any any eq ftp log
access-list inside_access_in remark Allow Internet Traffic from Gosling to outside
access-list inside_access_in permit tcp host gosling any eq www
access-list inside_access_in remark Allow QAServer to go outside
access-list inside_access_in permit tcp host qa-server any eq www
access-list inside_access_in remark Allow JCarrey to go outside
access-list inside_access_in permit tcp host JCarrey any eq www
access-list inside_access_in remark Allow HTTP traffic from Discovery1
access-list inside_access_in permit tcp host Discovery1 any eq www
access-list inside_access_in remark Allow server Shania to use HTTP
access-list inside_access_in permit tcp host Shania any eq www
access-list inside_access_in remark Allow HTTP Traffic from Discovery2
access-list inside_access_in permit tcp host Discovery2 any eq www
access-list inside_access_in remark Allow traffic from TerryFox to the Internet
access-list inside_access_in permit tcp host TerryFox any eq www
access-list inside_access_in remark Allow Mandana to go to the Internet (JBoss)
access-list inside_access_in permit tcp host Mandana any eq www
access-list inside_access_in remark Allow https in Mandana
access-list inside_access_in permit tcp host Mandana any eq https
access-list inside_access_in remark Freerunner allow to use HTTP to the Internet
access-list inside_access_in permit tcp host FreeRunner any eq www
access-list inside_access_in remark Allow Loblaws to go the Internet
access-list inside_access_in permit tcp host loblaws any eq www
access-list inside_access_in remark allow SSH and SFTP out
access-list inside_access_in permit tcp any any eq ssh
access-list inside_access_in remark Allow outbound Email traffic from TerryFox to the Internet
access-list inside_access_in permit tcp host TerryFox any eq smtp
access-list inside_access_in remark Allow Gosling to send emails OUT
access-list inside_access_in permit tcp host gosling any eq smtp
access-list inside_access_in remark Allow Mandana to email OUT
access-list inside_access_in deny tcp host Mandana any eq smtp
access-list inside_access_in remark allow udp dns out for dawson
access-list inside_access_in permit udp host dawson any eq domain
access-list inside_access_in remark allow Terminal Service out
access-list inside_access_in permit tcp any any eq 3389
access-list inside_access_in remark allow ping to go out
access-list inside_access_in permit icmp any any echo
access-list inside_access_in remark Allow Ping to come back
access-list inside_access_in permit icmp any any echo-reply
access-list inside_access_in remark Deny all https traffic out
access-list inside_access_in deny tcp any any eq https
access-list inside_access_in remark Deny Internet traffic to ALL
access-list inside_access_in deny tcp any eq www any eq www
access-list outside_access_in remark Allow inbound Mail-Web services to TerryFox
access-list outside_access_in permit tcp any host 199.43.38.28 object-group mail-web-services
access-list outside_access_in remark deny ping reply in
access-list outside_access_in permit tcp any host 199.43.38.29 eq ftp
access-list outside_access_in remark Deny ping reply in
access-list outside_access_in permit icmp any any echo-reply
access-list outside_access_in remark Deny ping any server from outside
access-list outside_access_in permit icmp any any echo
access-list VPN2Lontours_splitTunnelAcl permit ip 10.13.1.0 255.255.255.0 any
access-list VPN2Lontours_splitTunnelAcl permit ip 10.0.1.0 255.255.255.0 any
access-list VPN2Lontours_splitTunnelAcl permit ip Peer1 255.255.255.0 any
access-list VPN2Lontours_splitTunnelAcl permit ip DenverSide 255.255.255.0 any
access-list inside_outbound_nat0_acl permit ip 10.13.1.0 255.255.255.0 10.13.1.160 255.255.255.224
access-list inside_outbound_nat0_acl permit ip 10.0.1.0 255.255.255.0 10.13.1.160 255.255.255.224
access-list inside_outbound_nat0_acl remark Denver side allow for VPN Pool
access-list inside_outbound_nat0_acl permit ip DenverSide 255.255.255.0 10.13.1.160 255.255.255.224
access-list inside_outbound_nat0_acl permit ip any 10.13.1.160 255.255.255.224
access-list outside_cryptomap_dyn_20 remark VPN Policy
access-list outside_cryptomap_dyn_20 permit ip any 10.13.1.160 255.255.255.224
pager lines 24
logging on
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
ip address outside 199.43.38.27 255.255.255.248
ip address inside 10.13.1.252 255.255.255.0
no ip address DMZ
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnpool 10.13.1.160-10.13.1.180
pdm location dawson 255.255.255.255 inside
pdm location gosling 255.255.255.255 inside
pdm location qa-server 255.255.255.255 inside
pdm location peer1 255.255.255.0 outside
pdm location 10.13.1.160 255.255.255.224 outside
pdm location Discovery1 255.255.255.255 inside
pdm location Discovery2 255.255.255.255 inside
pdm location MSNMessnger 255.255.0.0 outside
pdm location 10.0.1.0 255.255.255.0 inside
pdm location JCarrey 255.255.255.255 inside
pdm location bentley 255.255.255.255 inside
pdm location Shania 255.255.255.255 inside
pdm location TerryFox 255.255.255.255 inside
pdm location loblaws 255.255.255.255 inside
pdm location Peer1 255.255.255.0 inside
pdm location Mandana 255.255.255.255 inside
pdm location Peer1 255.255.255.0 outside
pdm location FreeRunner 255.255.255.255 inside
pdm location 10.0.1.0 255.255.255.0 outside
pdm location 10.0.1.155 255.255.255.255 inside
pdm location 151.193.141.0 255.255.255.0 inside
pdm location 151.193.163.0 255.255.255.0 inside
pdm location 151.193.178.0 255.255.255.0 inside
pdm location DenverSide 255.255.255.0 inside
pdm logging informational 512
pdm history enable
arp timeout 14400
global (outside) 10 interface
global (DMZ) 10 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 199.43.38.28 TerryFox netmask 255.255.255.255 0 0
static (inside,outside) 199.43.38.29 loblaws netmask 255.255.255.255 0 0
static (inside,outside) 199.43.38.30 gosling netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 199.43.38.25 1
route inside DenverSide 255.255.255.0 10.13.1.1 1
route inside Peer1 255.255.255.0 10.13.1.1 1
route outside Peer1 255.255.255.0 199.43.38.27 4
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 10.13.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
auth-prompt accept You have been authenticated by Dawson. All your activities will be logged.
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set peer ah-md5-hmac esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication LOCAL
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup VPN2Lontours address-pool vpnpool
vpngroup VPN2Lontours dns-server dawson
vpngroup VPN2Lontours default-domain lontours.ca
vpngroup VPN2Lontours split-tunnel VPN2Lontours_splitTunnelAcl
vpngroup VPN2Lontours idle-time 1800
vpngroup VPN2Lontours password ******
telnet 10.13.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
management-access inside
console timeout 0
username admin password PXXbR encrypted privilege 5
username asantia password CM1H encrypted privilege 5
terminal width 80
Cryptochecksum:0bfad298
: end
[OK]

0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16763249
If its cool with you, I am going to delete your config.

Run the command again and paste it into notepad. remove the first two octets of your public IP's. and replace them with xxx.xxx.9.11 etc using find & replace.

This site is open to all and you will not want your public IP's open to scrutiny.

Please confirm.

Regards

Keith
0
 

Author Comment

by:rgomez101
ID: 16763303
Don't worry. The IPs in this config have been sanitized. They are not real, so I am not showing my real IPs.

RG
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16763312
OK mate. Just thought I'd check :)
0
 
LVL 9

Expert Comment

by:stressedout2004
ID: 16763695
Which static route/s is/are in question? Is it:

route inside Peer1 255.255.255.0 10.13.1.1 1
route outside Peer1 255.255.255.0 199.43.38.27 4

If yes, with respect to the PIX, which interface is Peer1 really connected to? Outside or inside?
0
 

Author Comment

by:rgomez101
ID: 16764091
Ok,  this is getting interesting.

You have already noticed there are two statics routes. This was one desperate attempt to make it work. I tried one time with two static routes: one for inside, one for outside, and for some reasons, it worked.  But the magic last for one day only.

Now, I have deleted the second route and left only one:

route inside Peer1 255.255.255.0 10.13.1.1 1

Any of the interfaces should be able to communicate to Peer1. The internal goes to a router, and that router has a static route for Peer1.  The external goes to a DSL connection to the Internet.  Makes sense ?

RG


0
 
LVL 79

Accepted Solution

by:
lrmoore earned 1500 total points
ID: 16764995
> The Colocation Servers DO NOT communication with the office AT ALL (Ping, telnet, email, nothing).

Step by step - anything going to subnet 10.4.1.0 gets sent to router @ 10.13.1.1 - OK
>name 10.4.1.0 peer1  <== can I assume this is the colo subnet?
>name 69.90.40.0 Peer1 <== ??

//-- here, did you mean "peer1" or "Peer1" - they are two different entities as shown in your names table
>route inside Peer1 255.255.255.0 10.13.1.1 1

VPN Users are in the same IP subnet as the local LAN - NOT a good idea
>ip local pool vpnpool 10.13.1.160-10.13.1.180

"any" should not be used in ipsec acls for nat0 or split-tunnels. Since your vpn clients are in the same ip subnet, it's awfully hard to differentiate
>access-list inside_outbound_nat0_acl permit ip any 10.13.1.160 255.255.255.224
>access-list VPN2Lontours_splitTunnelAcl permit ip Peer1 255.255.255.0 any


Here's the problem...
It's a design "feature" of the pix, not a routing issue.
If the default gateway of the local systems point to the PIX inside IP, they won't be able to talk to 10.4.1.0
If the default gatewy of the local systems point to the router @ 10.13.1.1 they they will be able to talk to the remote network. I will assume that this router has "its" default route pointing to the PIX @.253?

The "fix" is to use a separate ip subnet for the VPN users and sepcific acls and routes:

Example:
 ip local pool vpnpool 172.16.13.161-172.16.13.180
 access-list inside_outbound_nat0_acl permit ip 10.13.1.0 255.255.255.0 172.16.13.160 255.255.255.224
 access-list VPN2Lontours_splitTunnelAcl permit ip Peer1 255.255.255.0 172.16.13.160 255.255.255.224



0
 

Author Comment

by:rgomez101
ID: 16768791
Ok,

So I should create and different subnet for the VPN users. To be able to implement this change I would prefer to do it on Saturday or Sunday, to give it a warning to all my users.

So, to recap, what I should do is change:

ip local pool vpnpool 10.13.1.160-10.13.1.180

for something like

ip local pool vpnpool 172.13.1.160-172.13.1.180

And all the associate rules and it will clear up some issues... right ?

RG
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 16768934
Right.
0
 

Author Comment

by:rgomez101
ID: 16772220
Perfect. I will apply the changes on Monday and I will post the results.

Thanks.

RG
0
 

Author Comment

by:rgomez101
ID: 16785460
I was requested by the VPN users to perform this change by Tuesday at 2:00pm ET.  Thank you for your patient and I will refresh this question as soon as I change the subnet of the VPN users.

RG
0
 

Author Comment

by:rgomez101
ID: 16792693
OK, I made the change. The VPN users have now the Subnet of 172.16.10.X.  What should I do next ?

Thanks for all your help.

RG
0
 

Author Comment

by:rgomez101
ID: 16792700
Right now, I eliminated the statics routes in the firewall and the users are not allow to gain remote control over the Colocation servers.

RG
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 16793842
You probably need to keep these routes on the firewall
   route inside DenverSide 255.255.255.0 10.13.1.1 1
   route inside 10.4.1.0 255.255.255.0 10.13.1.1 1

What is the default gateway for the local users? It should be 10.13.1.1
That router should point its default to the PIX inside 10.13.1.252
Is it a cisco router? Can you provide result of "sho ip route" from it?
0
 

Author Comment

by:rgomez101
ID: 16793880
Yes, the default gateway for user is 10.13.1.1.   This is the Cisco Router.  Then the router points to the Firewall if they are requesting Internet: 10.13.1.252

There are some static routes in the router that will direct the users to the proper sites.

Here is the sanitized (X) copy of the show IP route command:

Gateway of last resort is 10.13.1.252 to network 0.0.0.0

     69.0.0.0/24 is subnetted, 1 subnets
S       69.90.X.0 [1/0] via 10.13.1.253
     10.0.0.0/24 is subnetted, 7 subnets
C       10.11.1.0 is directly connected, FastEthernet0/0.2
C       10.13.1.0 is directly connected, FastEthernet0/0.1
S       10.0.1.0 [1/0] via 192.168.6.1
S       10.0.6.0 [1/0] via 192.168.6.1
S       10.4.1.0 [1/0] via 10.13.1.253
S*   0.0.0.0/0 [1/0] via 10.13.1.252
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 16793924
If this router is the user's default gateway, and this router points to the colo server subnet through yet another router, then route statements on the PIX FW are irrelevant.

>S       10.4.1.0 [1/0] via 10.13.1.253
Is 10.4.1.0 the colocation servers?

Now you have to look at the router that is 10.13.1.253
Where does its default route point? It appears you've got some strange routing going on here with multiple routers and the firewall... Can you make a diagram of all the routers and connections that we're dealing with here?



0
 

Author Comment

by:rgomez101
ID: 16799557
Ok, let's review this.

10.4.x is a VPN connection we created about a year ago, and it worked only for a few months. It is not working today at all, even though the routes and the hardware is there.

Let me try to create a Diagram in here:

   I
   I
   I
 Internet
   I
   I
  modem DSL IP=199.x.x.25
   I
   I
  Switch  -------  DLink Box IP = 10.13.x.253 -----I
   I                                                                  I
   I (Out)=199.x.x.27                                        I
 Firewall  -------------------------------------------  Cisco Switch 48 ports ---------------- T1 Line
               (in) = 10.13.x.252                             I
                                                                      I
                                                                   Workstations

The Dlink Box as well as the Firewall has the Gateway as 199.x.x.25

RG






0
 

Author Comment

by:rgomez101
ID: 16799820
So , I have eliminated ALL the static routes in the Firewall:

- No connection from Peer1 to the office.
- No connection TO Peer1 while using a VPN client

Now, I looked into the logs, and when I ping FROM Peer1 to the Office, I get the following in the PIX log:

No route to 69.9x.x.x9 from 199.x.x.27

Why ?

RG
0
 

Author Comment

by:rgomez101
ID: 16800082

Ok, I always use the try and error technique. So far this is what is happening:

- All the internal network is exempted from NAT to all VPN users.
- no static routes. Only 0.0.0.0. 0.0.0.0 pointing to gateway 199.x.x.25
- No VPN split Tunnel

I use Split tunnel to allow VPN users use Internet at the same time as connected. Is a requirement from Management.

The scenario hasn't changed:

- No connection from Peer1 to the office.
- No connection TO Peer1 while using a VPN client

BUT, i noticed that HTTP is working while connected to VPN. If I try webmin or any HTTP service to Peer1, it works. If I ping or SSH , doesn't.  Strange.

RG
0
 
LVL 9

Expert Comment

by:stressedout2004
ID: 16801973
You need to have a static route on the PIX pointing back to the internal router which has a route leading to Peer1.
Peer1 in return should have a route for the PIX subnet and the VPN pool subnet pointing back to the same internal router. You cannot completely eliminate the static route unless you intend the traffic to go externally rather than internally.

Let's step back a little, with this route on the PIX, can you reach the Peer1 subnet from the PIX itself?

route inside Peer1 255.255.255.0 10.13.1.1 1

If not, you have to make sure that Peer1 knows how to communicate back to 10.13.1.0/24. Which means that on Peer1, you should have a static route pointing back to the direction of the T1 router or the internal router (10.13.1.1) depending on how the network connections are laid out.
0
 

Author Comment

by:rgomez101
ID: 16802495
If you take a close look at the diagram, my gateways to Internet are the Dlink and the Firewall.  In Peer1, the trusted IPs are 199.x.x.26 and 27

So I have to establish a static route in Peer1 pointing back to 199.x.x26 and 27 ?

 Peer1
   I
   I
 Internet
   I
   I
  modem DSL IP=199.x.x.25
   I
   I             Ext IP=199.x.x.26
  Switch  -------  DLink Box IP = 10.13.x.253 -----I
   I                                                                  I
   I (Out)=199.x.x.27                                        I
 Firewall  -------------------------------------------  Cisco Switch 48 ports ---------------- T1 Line
               (in) = 10.13.x.252                             I
                                                                      I
                                                                   Workstations
0
 

Author Comment

by:rgomez101
ID: 16808946

When using VPN tunnel , I ping the colocation servers at Peer1 and I get this in the Firewall log:

Deny inbound (No xlate) icmp src outside:172.x.x.100 dst outside:69.x.x.19 (type 8, code 0)

Any light ?

RG
0
 

Author Comment

by:rgomez101
ID: 16809197
I found this, and I have created static routes Inbound, Outbound, different gateways, NOTHING.

http://www.eventid.net/firegen/pixmessages.asp?lic=1234567&code=3-106011

RG
0
 
LVL 9

Expert Comment

by:stressedout2004
ID: 16813310
RG, Im looking through your previous post specifically the show ip route of the Cisco router(10.13.1.1)

S       69.90.X.0 [1/0] via 10.13.1.253

Is the 69.90.x.0 being referred to above the Colocation site? The IP is masked so I just wanna make sure.
If that is the case, is there any reason why that is pointing back to 10.13.1.253 which is the internal IP of the DLINK basing from the topology you provided? The Colocation you said is connected via T1, it only makes sense that you send the traffic back to it via the same T1.

Also the logs you were seeing on the firewall, where is the 172.x.x.100 coming from? If it is from the VPN tunnel, it should be coming from 10.13.1.160 subnet.

There's a lot of pieces missing in the picture here, like on your topology, how is the Cisco router connected, Does it terminate the T1 too or is another device doing that? Your issue has something to do with routing, you can leave the VPN out of the picture to make it easier. If your main office can't even talk to the colocation, then it only makes sense that the VPN won't be able to as well. Can you even ping the colocation site from the Cisco router? You should start there.
0
 

Author Comment

by:rgomez101
ID: 16817051
Ok,

StressedOut: The 10.3.1.160 subnet does not exist anymore. That was the old subnet for the VPN users. According to the experts, I replaced that Subnet to 172.x.x.100.

The Colocation Site is located in 69.90.x.0 and is NOT connected via T1. It is connected thru the Internet. Please ignore the T1 connection for now. I don't think it matters because is a different traffic and that directed to the States and is working Ok.

In the Colocation site, there is a Firewall that is open to any traffic coming from our DLink and from our Firewall. The external ips are 26 and 27 respectively.

Please read this and I will post another line with What I can ping and what I can't.

Thanks for reply.
RG
0
 

Author Comment

by:rgomez101
ID: 16817130
ok,

The Colocation administrator checked his side and he says there are no static routes in the Colocation. OUR VPN Tunnel to the DLINK was DOWN for WEEKS, and that's why he ALLOWED unencrypted traffic coming from the Firewall (ip=27) to go thru.

He fixed the VPN Tunnel and now is working.

I can Ping:

From the Office to the Colocation Server With NO problem
From the Colocation server I can ping the DSL modem (25) the DLINK (26) the Firewall Out Interface (27)
From the Colocation server we CAN NOT ping the NAT servers inside of the office in the IPs 28, 29 and 30.
From anywhere in the Internet I can ping these 28,29 and 30 Servers. I open echo and echo-reply while doing tests.

While Connected with VPN client to the office:
I can not ping the Colocation servers. I can ping the entire internal network but not Peer1.

RG
0
 

Author Comment

by:rgomez101
ID: 16817163
Since the guy fixed the VPN tunnel we have now TWO ways to connect to our email server inside of our network:

1) Use the Public IP address (A Record) for my email  (not working, and that is the whole issue of this problem)
2) Use the Internal IP for the Email.

The Servers in the Colocation can now Ping the internal addresses.  How can I let the server know that every email going to mydomain.com should use IP 10.13.x.201 instead of the public IP ?

Thanks

RG
0
 

Author Comment

by:rgomez101
ID: 16818654
I found it. I modified the /etc/hosts file and I included our email in the list.

Now, how I can ping, SSH and Telnet in port 25 to my email server FROM the Colo and not get any email ?

The queue says:  Deferred: Connection timed out with mail.xxxx.com

Why ?

RG
0
 

Author Comment

by:rgomez101
ID: 16845620

OK EVERYBODY... I received one tip from one Tech guy that came here. He mentioned that the Switch that I have is creating problems. Let's take a look again to the diagram:

Interner
  I
  I
modem DSL IP=199.x.x.25
   I
   I
  Switch  -------  DLink Box IP = 10.13.x.253 -----I
   I                                                                  I
   I (Out)=199.x.x.27                                        I
 Firewall  -------------------------------------------  Cisco Switch 48 ports ----------------
               (in) = 10.13.x.252                            

He said the incoming traffic was getting confuse by the DLink Box and the Firewall. He said I shouldn't split this connection, so I REMOVED THE SWITCH AND NOW I AM RECEIVING EMAILS FROM THE COLOCATION SITE.

Now, That is only 50% of my problem.  I am willing to give the points to whoever help me with the VPN part. Remember that the Users can not gain control over the Remote Colo site.

So that is, when a Remote users dial in using VPN cisco Client, he can not SSH over the 69.90.x ips.  Can somebody point me into the right direction ?

RG
0

Featured Post

Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as the high-speed power of the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
Despite its rising prevalence in the business world, "the cloud" is still misunderstood. Some companies still believe common misconceptions about lack of security in cloud solutions and many misuses of cloud storage options still occur every day. …
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses
Course of the Month15 days, 23 hours left to enroll

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question