• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 413
  • Last Modified:

Cisco VPN 3005 Concentrator static route

I have 2 networks connected by a pt to pt t1.  Users in both offices can access resources in each office.  At the main office, I have a Cisco 3005 Concentrator for road users.  The remote users logged into the Concentrator cannot access the server on the remote subnet.  I  added a static route on the concentrator for the remote subnet.  Is there something else I need to do for the road users to see the remote subnet?  The road users are on the same subnet as the main office when logged in to the VPN.
0
jim0816
Asked:
jim0816
  • 2
  • 2
1 Solution
 
lrmooreCommented:
You also need to add a route on the T1 router(s) for the subnet/pool of IP's being used by the VPN clients
0
 
jim0816Author Commented:
Ok this now becomes a 2 part question.  I now need to resolve the subnetting.  I will bump the points to 500 and split if needed.  

 My main office subnet was 10.10.1.0/24.  I have changed to 2 subnets 10.10.1.128 (for vpn users) and 10.10.1.0 (for office users) with mask 255.255.255.128.  I put a static route for 10.10.1.128 to the inside interface of the 3005 (10.10.1.5).   I still cannot see the remote subnet from the concentrator.   Here is a diagram:

10.10.3.0 ------10.10.3.100 (remote t1 router)--192.168.1.2-----------t1-----------192.168.1.1--10.10.1.100(local t1 router)-------------|
                                                                                                                                                                                               |-----10.10.1.5(cisco 3005)-----10.10.1.128/255.255.255.128(subnet for vpn users)
                                                                                                                                                                                               |------10.10.1.0/255.255.255.128(local users)
                                                                                                                                                                                               |---10.10.1.101----internet

Is the subnetting correct?
0
 
lrmooreCommented:
The subnetting will work fine as long as every single device has the same mask.
Remote T1 router has default pointing to 192.168.1.1 ?
  ip route 0.0.0.0 0.0.0.0 192.168.1.1 ??

Local T1 router has default pointing to 10.10.1.101 Internet? Is this a firewall? PIX? Router?
 ip route 10.10.3.0 255.255.255.0 192.168.1.2
 ip route 0.0.0.0 0.0.0.0 10.10.1.101
 ip route 10.10.1.128 255.255.255.128 10.10.1.5

3005 has route statement equivilent to:
 ip route 10.10.3.0 255.255.255.0 10.10.1.100  <== pointing to  local T1 router

Assuming that the Internet router/firewall serves remote office also, it needs routes, too. This is PIX syntax
 route inside 10.10.3.0 255.255.255.0 10.10.1.100

Now the biggie -- IF the Internet is a PIX, then the following MUST be TRUE:
 All local LAN clients point default gateway to LOCAL T1 ROUTER - 10.10.1.100
 NOT to the PIX.


0
 
jim0816Author Commented:
Thanks for the help.   All works well.  
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Building an Effective Phishing Protection Program

Join Director of Product Management Todd OBoyle on April 26th as he covers the key elements of a phishing protection program. Whether you’re an old hat at phishing education or considering starting a program -- we'll discuss critical components that should be in any program.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now