Add a static route to VPN?

Posted on 2009-04-23
Last Modified: 2012-05-06
Our network uses VPNs and VLANs.  

I have one device in VLAN 10 (192.168.10.x range), but when you login over the VPN, we put you in VLAN 12 (192.168.12.x range).

I want to make it so when I come in on the VPN, I can hit that one device in VLAN10.  I think I need to add a static route, just not sure were....on the PIX?
Question by:dougp23
    LVL 15

    Expert Comment

    It is always a good idea to add static routes in the pix for vpn clients.

    for your vlan 10:
    pix(config)#route inside [subnet mask of this network]  [inside interface of pix ip address]
    pix(config)#route inside [subnet mask of this network]  [inside interface of pix ip address]

    Also, your router or layer 3 switch on your inside lan should have either static routes with the above networks pointing to the inside of interface of the pix or a dynamic routing protocol such as eigrp, rip, or ospf to find all your vlans so traffic can go to all your default gateways of your vlans

    LVL 1

    Author Comment

    I have those routes, but I think this is the relevant VPN stuff:

    access-list 101 permit ip

    When you VPN in, we give you a 192.168.2.x address.  So we are saying, once you have that 2 addy, you can go anywhere in 12 land.
    What I want to say is "You can go anywhere in 10 land, PLUS you can also go to".

    How would I do that?

    LVL 15

    Accepted Solution

    In the original post you wanted 1 server in VLAN10, now you want 1 in VLAN12 - did you confuse them?
    I'll go general since I'm uncertain of the specifics you want :)

    You don't tell what access-list 101 is applied to, or what other access-lists are relevant (You aren't reusing 1 for several purposes, right? *shame on you if you do*)
    Are you using split-tunnel?  If you are, you need to add this extra host to that.  In either case you'd likely require NAT-exemption, and then you add this host to that.

    So from the limited bit you have shown, yes you extend the access-list (provided it's ALL VLAN12 & 1 VLAN10):
    access-list 101 permit ip host

    But the security of it is likely right down to missing translations now.  And of cuz, if the server can be accessed with shell/rdp you can jump on further into VLAN10.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Threat Intelligence Starter Resources

    Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

    Suggested Solutions

    There are many useful and sometimes not well documented or forgotten IOS or ASA/PIX commands. See IPE article here , there was also one on PacketU and on Cisco Tips & Tricks. Below are my favorites. I give also a few most often used for Cisco IPS an…
    Overview The Cisco PIX 501, PIX 506e, ASA 5505 and ASA 5510 (most if not all of this information will be relevant to the PIX 515e but I do not have a working configuration handy to verify the validity) are primarily used within small to medium busi…
    Hi everyone! This is Experts Exchange customer support.  This quick video will show you how to change your primary email address.  If you have any questions, then please Write a Comment below!
    This video is in connection to the article "The case of a missing mobile phone (". It will help one to understand clearly the steps to track a lost android phone.

    761 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    16 Experts available now in Live!

    Get 1:1 Help Now