But don't take it from us. The Firebox M370 is Miercom tested and Miercom approved, outperforming its competitors for stateless and stateful traffic throughput scenarios. Learn more about the M370, M470, M570 and M670 and find the right solution for your organization today!
COURSE of the MONTH
9 days, 14 hours left to enrollBecome a Premium Member and unlock a new, free course in leading technologies each month.
Solved
Complex VPN Config - VPN to a network not on the VPN connected device (behind a second firewall)
Posted on 2006-06-13
I have 6 internal 192.168 networks behind a firewall. I need VPN access to these networks but I can't make the firewall itself the VPN endpoint.
I have the following setup.
I have a VPN in place between my office (Cisco PIX506E) and a Cisco 2811 router. I then need to get from the router to the 192.168 networks behind a firewall which I don't directly manage.
+-------------------+ +-------------------+ +---------------------+ +--------192.168.0.0/24
| PIX506E | | 2811 | | Firewall | +--------192.168.1.0/24
|Ins 192.168.50.1 |-------------|Ins 88.88.88.1 |-----------|Ins 192.168.100.1|------------
|Out 99.99.99.1 | |Out 77.77.77.1 | |Out 88.88.88.2 | +--------192.168.3.0/24
+--------------------+ +-------------------+ +--------------------+ +--------192.168.4.0/24
I have ny VPN setup between two endpoints - 99.99.99.1 and 77.77.77.1.
What static route statements do I need now, and where do I need them, to ensure that I get from the 192.168.50.0/24 network behind my PIx through to the 192.168.0-5.0/24 networks behind the firewall and back again ? I have tried a number of different configs and haven't yet been able to get this to work.
Also, in my crypto access lists for the traffic to be protected by the VPN, I assume I need to add an entry for the destination 192.168.0-5.0/24 networks, as well as entries for the inside networks on the PIX and 2811.
Any help would be greatly appreciated.
Thanks.
I have the following setup.
I have a VPN in place between my office (Cisco PIX506E) and a Cisco 2811 router. I then need to get from the router to the 192.168 networks behind a firewall which I don't directly manage.
+-------------------+ +-------------------+ +---------------------+ +--------192.168.0.0/24
| PIX506E | | 2811 | | Firewall | +--------192.168.1.0/24
|Ins 192.168.50.1 |-------------|Ins 88.88.88.1 |-----------|Ins 192.168.100.1|------------
|Out 99.99.99.1 | |Out 77.77.77.1 | |Out 88.88.88.2 | +--------192.168.3.0/24
+--------------------+ +-------------------+ +--------------------+ +--------192.168.4.0/24
I have ny VPN setup between two endpoints - 99.99.99.1 and 77.77.77.1.
What static route statements do I need now, and where do I need them, to ensure that I get from the 192.168.50.0/24 network behind my PIx through to the 192.168.0-5.0/24 networks behind the firewall and back again ? I have tried a number of different configs and haven't yet been able to get this to work.
Also, in my crypto access lists for the traffic to be protected by the VPN, I assume I need to add an entry for the destination 192.168.0-5.0/24 networks, as well as entries for the inside networks on the PIX and 2811.
Any help would be greatly appreciated.
Thanks.
[X]
Welcome to Experts Exchange
Add your voice to the tech community where 5M+ people just like you are talking about what matters.
- Help others & share knowledge
- Earn cash & points
- Learn & ask questions
4-
4
2- +1
14 Comments
Active 5 days ago
Well one way or the other, you will have to make changes to the Firewall that you don't manage to get this setup to work. What is the default gateway of the Firewall (88.88.88.2)? Is it the 2811 (88.88.88.1)? And what brand of firewall is 88.88.88.2?
Firewall 88.88.88.2 is proprietary, provided by the ISP. The 2811 is not the gateway for this firewall.
The setup was originally a standard one. For reasons which I won't go into we can't use the ISP firewall for VPN connections. These will all need to go from the PIX to the 2811, and then on to the ISP firewall, and then reversed to go the other way.
The gateway for the 2811 is 77.77.77.2.
The ISP firewall will pass all traffic from 192.168.0-5.0/24 back out to the internet, except for traffic which has been defined as being destined for the VPN, i.e. 192.168.50.0/24 traffic from the PIX, which will be passed to the 2811 instead of straight back out to the Net.
The setup was originally a standard one. For reasons which I won't go into we can't use the ISP firewall for VPN connections. These will all need to go from the PIX to the 2811, and then on to the ISP firewall, and then reversed to go the other way.
The gateway for the 2811 is 77.77.77.2.
The ISP firewall will pass all traffic from 192.168.0-5.0/24 back out to the internet, except for traffic which has been defined as being destined for the VPN, i.e. 192.168.50.0/24 traffic from the PIX, which will be passed to the 2811 instead of straight back out to the Net.
I forgot to say, although we have no direct control over the ISP firewall we can request whatever changes are needed to make this configuration work.
Thanks.
Thanks.
Active 4 days ago
The static routes you should need for this is
1. On the 2811, a default route out to the internet and also a route for 192.168.50.0/24 with a next hop of 99.99.99.1.
2. On the PIX a default route and also routes for 192.168.0.0-4 with a next hop of 77.77.77.1.
Since the firewall is dealing with decrypted traffic, it will need to pass all traffic between the private networks on either end- from 192.168.50.0/24 to the others and back. Same for the crypto maps. It doesn't matter what's connected, what matters is the source and destination networks.
If I'm missing something I'm sure someone else will add to this.
1. On the 2811, a default route out to the internet and also a route for 192.168.50.0/24 with a next hop of 99.99.99.1.
2. On the PIX a default route and also routes for 192.168.0.0-4 with a next hop of 77.77.77.1.
Since the firewall is dealing with decrypted traffic, it will need to pass all traffic between the private networks on either end- from 192.168.50.0/24 to the others and back. Same for the crypto maps. It doesn't matter what's connected, what matters is the source and destination networks.
If I'm missing something I'm sure someone else will add to this.
Active 4 days ago
Ummm...good point. If those subnets are NATted then you need to substitute the public addresses.
Active 5 days ago
Here's what you need:
PIX 506e:
a) Modify the NAT 0 and Crypto match address access-list so that it includes traffic to 192.168.0.0 to 4.0/24 from 192.168.50.0/24
b) As far as routing is concern, there's no need for any explicit static routes to the remote network as long as this PIX
has a default gateway going out to the internet. Of course I am assuming that the PIX 506e is connected to the internet and is on an entirely different location from the 2811.
2811:
a) Modify the crypto match address to include traffic to 192.168.50.0/24 from 192.168.0.0 to 4.0/24.
b) A static route for 192.168.0.0 to 4.0 pointing back to the 88.88.88.2
Firewall controlled by ISP:
a) You need a static route for 192.168.50.0/24 pointing back to 88.88.88.1
b) If your ISP is doing NAT (which is most likely the case, otherwise 192.168.0.0-4.0/24 won't get internet access),
asked them to make a NAT exception rule such that when the network 192.168.0.0 to 4.0/24 communicates with 192.168.50.0/24 they won't be NATted.
PIX 506e:
a) Modify the NAT 0 and Crypto match address access-list so that it includes traffic to 192.168.0.0 to 4.0/24 from 192.168.50.0/24
b) As far as routing is concern, there's no need for any explicit static routes to the remote network as long as this PIX
has a default gateway going out to the internet. Of course I am assuming that the PIX 506e is connected to the internet and is on an entirely different location from the 2811.
2811:
a) Modify the crypto match address to include traffic to 192.168.50.0/24 from 192.168.0.0 to 4.0/24.
b) A static route for 192.168.0.0 to 4.0 pointing back to the 88.88.88.2
Firewall controlled by ISP:
a) You need a static route for 192.168.50.0/24 pointing back to 88.88.88.1
b) If your ISP is doing NAT (which is most likely the case, otherwise 192.168.0.0-4.0/24 won't get internet access),
asked them to make a NAT exception rule such that when the network 192.168.0.0 to 4.0/24 communicates with 192.168.50.0/24 they won't be NATted.
I have amended my configs with the changes above that hadn't been made already.
When I now try to map a drive from a PC on 192.168.50.110, behind my PIX, to 192.168.0.10 at the other end it seems to almost work. If I go to mapped drives in Explorer I can see the drive listed, but it seems to lock up explorer and I can't actually access the drive. Any ideas on how I can try to diagnose what might be happening ?
Also, how can I configure a Cisco VPN Client to get to the 192.168.0-4.0 networks ? If I have a VPN connection to 77.77.77.1, I assume that the routing statements already in place as detailed above will get the traffic through to the 192.168.0-4.0 destination, but how does my PC where I'm running the client know to send that traffic down the VPN tunnel instead of straight out to the Net through the normal route ? I don't have an access-list at the VPN Clinet end that will capture that traffic ?
Thanks for all the help so far.
When I now try to map a drive from a PC on 192.168.50.110, behind my PIX, to 192.168.0.10 at the other end it seems to almost work. If I go to mapped drives in Explorer I can see the drive listed, but it seems to lock up explorer and I can't actually access the drive. Any ideas on how I can try to diagnose what might be happening ?
Also, how can I configure a Cisco VPN Client to get to the 192.168.0-4.0 networks ? If I have a VPN connection to 77.77.77.1, I assume that the routing statements already in place as detailed above will get the traffic through to the 192.168.0-4.0 destination, but how does my PC where I'm running the client know to send that traffic down the VPN tunnel instead of straight out to the Net through the normal route ? I don't have an access-list at the VPN Clinet end that will capture that traffic ?
Thanks for all the help so far.
Update -
I mapped a drive from 192.168.0.10 to a PC behind my PIX, on 192.168.50.110, aand left it running. When I went back a few minutes later the drive mapping was listed in the Disconnect Network Drive under Explorer Tools on 192.168.0.10, and was also listed as a drive under My Computer.
However, when I click on it to access it Explorer seems to hang. It seems as though traffic is getting across the VPN tunnel but it's running extremely slowly. Any ideas on how I can diagnose where the problem could be ?
I mapped a drive from 192.168.0.10 to a PC behind my PIX, on 192.168.50.110, aand left it running. When I went back a few minutes later the drive mapping was listed in the Disconnect Network Drive under Explorer Tools on 192.168.0.10, and was also listed as a drive under My Computer.
However, when I click on it to access it Explorer seems to hang. It seems as though traffic is getting across the VPN tunnel but it's running extremely slowly. Any ideas on how I can diagnose where the problem could be ?
Active 4 days ago
>how does my PC where I'm running the client know to send that traffic down the VPN tunnel
The PC has to have the correct route, which is called split tunneling. You can do a route add for now just to test. Most VPN servers can supply the routes to the client, you should look at how to configure it on the 2811 (I don't know). Maybe it's already doing it- try netstat -rn on your PC when the vpn is up and when it's down.
It's possible that if you get that fixed data will flow better too. Let's get that done first. Also make sure that the firewalls on both sides are permitting all IP between the subnets- at least until everything is working and you know what you need.
The PC has to have the correct route, which is called split tunneling. You can do a route add for now just to test. Most VPN servers can supply the routes to the client, you should look at how to configure it on the 2811 (I don't know). Maybe it's already doing it- try netstat -rn on your PC when the vpn is up and when it's down.
It's possible that if you get that fixed data will flow better too. Let's get that done first. Also make sure that the firewalls on both sides are permitting all IP between the subnets- at least until everything is working and you know what you need.
Featured Post
WatchGuard's newest M series appliances were put to the test by Miercom. We had great results and outperformed all of our competitors in both stateless and stateful traffic throghput scenarios! Ready to see how your UTM appliance stacked up? Download the Miercom Report!
Question has a verified solution.
If you are experiencing a similar issue, please ask a related question
Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management? Have you ever backed up the firewall policy residing on the SmartCenter? If you have then you know the hassles of connecting to the server, doing an upgrade_…
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…
Do you want to know how to make a graph with Microsoft Access? First, create a query with the data for the chart. Then make a blank form and add a chart control. This video also shows how to change what data is displayed on the graph as well as form…
Suggested Courses
Course of the Month9 days, 14 hours left to enroll
762 members asked questions and received personalized solutions in the past 7 days.
Join the community of 500,000 technology professionals and ask your questions.