Solved

Static routing through IPSec tunnel

Posted on 2011-03-07
13
851 Views
Last Modified: 2012-05-11
Hello experts!

I need some help on setting up a static route through an IPSec tunnel to access a 3rd party server. The backgound is:

From our office network we are accessing a 3rd party server (212.xxx.xxx.173) that only allows access from specific IP-numbers, i.e. our external IP-number (82.xxx.xxx.64)

I also need to access the 3rd party when at home and before I used a PPTP connection to access our office network. Then I got an IP-number from the internal office network i.e. (192.168.111.15) and I could easily route my traffic with a ROUTE ADD 212.xxx.xxx.172 192.168.111.15.

Now the home and office network is connected with an IPSec tunnel which is much more practical, but then I do not know how to (if even possible) to route the connection to the 3rd party through my office network so that the request seems to be made from the authorized IP-number.

My guess would be that I need to set a static route in the home firewall but this has not suceeded.

Questions:

1. If I was to set up a static route on the home firewall, how should that look?
2. Is it possible to set up a static route on my PC on the home network that would achieve the same?

Details:

3rd party IP: 212.xxx.xxx.173
Office public IP: 82.xxx.xxx.64
Office internal network: 192.168.111.0/24
Home public IP. 213.xxx.xxx.124
Home internal network: 192.168.0.0/24

Many thanks in advance!

/Lospilotos
0
Comment
Question by:lospilotos
  • 8
  • 3
  • 2
13 Comments
 
LVL 19

Expert Comment

by:Miguel Angel Perez Muñoz
ID: 35067009
Supposing that routing between home and office are ok, add a static route in home´s router:
dest: 212.xxx.xxx.173/24 gateway: IP internal at office.

I don´t know that router model has in home.
0
 

Author Comment

by:lospilotos
ID: 35067084
Thanks for the reply. That is exactly what I have tried. Starting to suspect something wrong with the home router. It is a consumer class router from Linksys, WRVS4400N.

When I add the route and then click "Show routing table" from the web config of the router, nothing is changed...
0
 

Author Comment

by:lospilotos
ID: 35067962
Let´s assume that the home router is defect in some way and will not allow me to create a static route using the gateway on the remote network. Is there any way of doing this on the local PC instead? ROUTE ADD 212.xxx.xxx.173 192.168.111.1 is accepted but does not work.
0
 
LVL 19

Assisted Solution

by:Miguel Angel Perez Muñoz
Miguel Angel Perez Muñoz earned 63 total points
ID: 35068766
try this: route add 212.xxx.xxx.mask 255.255.255.255 173 192.168.111.1 metric 1
0
 

Author Comment

by:lospilotos
ID: 35069223
Thanks, but what you suggested produced the same result in the routing table as my previous -
route add 212.xxx.xxx.173 192.168.111.1
0
 
LVL 14

Expert Comment

by:SIM50
ID: 35069233
If I understand you correctly, you want to route from IPsec tunnel which connects your home to your office and then route to 3rd party site-to-site VPN. This is called hairpinning. On your ASA which terminates both VPN's, enter this command: same-security-traffic permit intra-interface.
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 

Author Comment

by:lospilotos
ID: 35069390
SIM50: Not quite. The traffic from the office to the 3rd party is over normal internet. There is no VPN tunnel to the 3rd party. Just to make sure, I ran your command and there was no change. I also checked the ASA's log and the traffic is not hitting it at all.
0
 

Author Comment

by:lospilotos
ID: 35069408
This is what I´m trying to achieve:

PC ----WLAN----> Linksys ----VPN----> ASA ----Internet-----> 3rd party

This is what seems to happen

PC ----WLAN----> Linksys ----Internet-----> 3rd party
0
 

Accepted Solution

by:
lospilotos earned 0 total points
ID: 35069480
Response from Cisco/Linksys:

"The Wrvs4400n will not allow you to do a static route through the ipsec interface or tunnel.  All our small business devices only support connectivity to the default lan on the other side.

To get more than one network across the tunnel you would have to put your remote addresses together like 192.168.0.0 and 192.168.1.0 and do a subnet of 255.255.252.0 to access more than one network through the tunnel.

The only way to do a static route through a tunnel would be with one of our enterprise devices."


Thanks for your responses, which I´m sure would have worked if the Linksys product was up to par...
0
 
LVL 14

Expert Comment

by:SIM50
ID: 35069485
If it's not hitting the firewall then most likely your have split tunneling setup. Do you still have that static route setup? route add 212.xxx.xxx.173 192.168.111.1

By the way, here is the link to hairpinning on Cisco site: http://www.cisco.com/en/US/docs/security/asa/asa70/configuration/guide/vpnsysop.html#wp1042114 You would still need that command I posted above to route within the same interface.
0
 
LVL 14

Assisted Solution

by:SIM50
SIM50 earned 62 total points
ID: 35069511
You can setup a static route on your computer. If you use windows, the command in cmd is route add.
0
 

Author Comment

by:lospilotos
ID: 35069799
Please cancel my closing request so that I can award points instead to the partially helpful responses.
0
 

Author Closing Comment

by:lospilotos
ID: 35120595
Problem was related to the product in question not general TCP/IP. Got answer through product support site which was posted here for reference.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

OpenVPN is a great open source VPN server that is capable of providing quick and easy VPN access to your network on the cheap.  By default the software is configured to allow open access to your network.  But what if you want to restrict users to on…
If you use NetMotion Mobility on your PC and plan to upgrade to Windows 10, it may not work unless you take these steps.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

896 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now