VPN and Routing Issue

jasonpiper01
jasonpiper01 used Ask the Experts™
on
I have a pix 506e with IOS 6.3(5) installed, i have configured it to work with an ASA5520 in another location. My inside interface is 10.0.0.0 255.255.255.0 the ASA interface is 10.10.0.0 255.255.0.0. I can ping the gateway of the ASA5520 address of 10.10.0.1, and i get a reply. When i try to ping 10.10.50.1 or 10.10.10.15 i get time out errors, I am stuck as the 6.3(5) ios software doesnt have sh ip route, and i am having trouble. When i do a tracert 10.10.50.1 i get the first hop is my isp gateway for my 506e pix. Any ideas?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Istvan KalmarHead of IT Security Division
Top Expert 2010

Commented:
try to show route command

could you give me the configurations?

Author

Commented:
I can not supply the configurations of this pix at this time. I only have access to my pix anyway. I am trying to locate reasons why i would be able to ping the remote gateway and other networks connected to the ASA.

The show route command doesnt reference any other networks i am connected to via the vpn, i should be seeing the 192.168.0.0 and a 172.16.0.0 as well at the 10.10.0.0 network, but i only see routes to my isp gateway.
Istvan KalmarHead of IT Security Division
Top Expert 2010

Commented:
if you connected vpn you able to make a connction to inside, if you added this adress to nonat pool!
Success in ‘20 With a Profitable Pricing Strategy

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Author

Commented:
I have added the address to the nonat pool, still the same results. I can still ping the remote gateway and its connected networks, but i am unable to ping anything past the 10.10.0.1 address.

Commented:
It may just be a typo but you said the two networks are 10.0.0.0 255.255.255.0 and 10.10.0.0 255.255.0.0. These subents overlap. are you sure this is correct? are your access lists for the VPN tunnel using the correct networks and masks?

Author

Commented:
Yes they typed correctly, i think the issue is that. I just need help confirming it.
Head of IT Security Division
Top Expert 2010
Commented:
What is the address-pool?

Author

Commented:
according to my network peers, its 10.10.0.0/16 and my internal space is 10.0.0.0/24
may be the network information at the peer is 10.10.0.0/24

in that case you may need to add 10.10.50.0/24 and 10.10.10.0/24.

also @ ASA end:(if its not available)
route inside 10.10.50.0 255.255.255.0  10.10.0.1 1
route inside 10.10.10.0 255.255.255.0  10.10.0.1 1
 
your initial question mentions 10.0.0/24 and 10.10/16 addresses - are these configured on the same firewall, or is it one on the 506 inside and one on the 5520 inside?

also from your initial question "... When i do a tracert 10.10.50.1 i get the first hop is my isp gateway for my 506e pix...."
are you saying here that you think this traceroute is going in the wrong direction, i.e. towards the isp when it should be going towards the inside? if this is the case, then either the inside interface is not up or you are missing routes to the destination you tried to trace to.

if your configured masks are correct, you should be able to see arp entries for 10.10.50.1 and 10.10.10.15 in the firewall (show arp), after pinging these addresses from the firewall.

Author

Commented:
I wasnt mistaken the networks are 10.10.0.0 /16 and my inside is 10.0.0.0/24. They are not configured on the same firewall, i have my pix 10.0.0.0/24 configured here in california and the 10.10.0.0/16 configured on the east coast. When i do a tracert to 10.10.50.1 it points to my isp gateway address, meaning that it returns a public ip address as its first hop instead of the 10.10.0.1.
Commented:
It looks like it's not matching the VPN access list and so it passes through to the Internet. Can you post config?

Author

Commented:
I solved it, what it was a typo in the group object configuration. Thanks guys, i am going to split the points up evenly.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial