Add a static route to VPN?

Posted on 2009-04-23
Medium Priority
Last Modified: 2012-05-06
Our network uses VPNs and VLANs.  

I have one device in VLAN 10 (192.168.10.x range), but when you login over the VPN, we put you in VLAN 12 (192.168.12.x range).

I want to make it so when I come in on the VPN, I can hit that one device in VLAN10.  I think I need to add a static route, just not sure were....on the PIX?
Question by:dougp23
LVL 15

Expert Comment

ID: 24220822
It is always a good idea to add static routes in the pix for vpn clients.

for your vlan 10:
pix(config)#route inside [subnet mask of this network]  [inside interface of pix ip address]
pix(config)#route inside [subnet mask of this network]  [inside interface of pix ip address]

Also, your router or layer 3 switch on your inside lan should have either static routes with the above networks pointing to the inside of interface of the pix or a dynamic routing protocol such as eigrp, rip, or ospf to find all your vlans so traffic can go to all your default gateways of your vlans


Author Comment

ID: 24224308
I have those routes, but I think this is the relevant VPN stuff:

access-list 101 permit ip

When you VPN in, we give you a 192.168.2.x address.  So we are saying, once you have that 2 addy, you can go anywhere in 12 land.
What I want to say is "You can go anywhere in 10 land, PLUS you can also go to".

How would I do that?

LVL 15

Accepted Solution

Voltz-dk earned 2000 total points
ID: 24226457
In the original post you wanted 1 server in VLAN10, now you want 1 in VLAN12 - did you confuse them?
I'll go general since I'm uncertain of the specifics you want :)

You don't tell what access-list 101 is applied to, or what other access-lists are relevant (You aren't reusing 1 for several purposes, right? *shame on you if you do*)
Are you using split-tunnel?  If you are, you need to add this extra host to that.  In either case you'd likely require NAT-exemption, and then you add this host to that.

So from the limited bit you have shown, yes you extend the access-list (provided it's ALL VLAN12 & 1 VLAN10):
access-list 101 permit ip host

But the security of it is likely right down to missing translations now.  And of cuz, if the server can be accessed with shell/rdp you can jump on further into VLAN10.

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This past year has been one of great growth and performance for OnPage. We have added many features and integrations to the product, making 2016 an awesome year. We see these steps forward as the basis for future growth.
This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question