Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Static routing through IPSec tunnel

Posted on 2011-03-07
13
857 Views
Last Modified: 2012-05-11
Hello experts!

I need some help on setting up a static route through an IPSec tunnel to access a 3rd party server. The backgound is:

From our office network we are accessing a 3rd party server (212.xxx.xxx.173) that only allows access from specific IP-numbers, i.e. our external IP-number (82.xxx.xxx.64)

I also need to access the 3rd party when at home and before I used a PPTP connection to access our office network. Then I got an IP-number from the internal office network i.e. (192.168.111.15) and I could easily route my traffic with a ROUTE ADD 212.xxx.xxx.172 192.168.111.15.

Now the home and office network is connected with an IPSec tunnel which is much more practical, but then I do not know how to (if even possible) to route the connection to the 3rd party through my office network so that the request seems to be made from the authorized IP-number.

My guess would be that I need to set a static route in the home firewall but this has not suceeded.

Questions:

1. If I was to set up a static route on the home firewall, how should that look?
2. Is it possible to set up a static route on my PC on the home network that would achieve the same?

Details:

3rd party IP: 212.xxx.xxx.173
Office public IP: 82.xxx.xxx.64
Office internal network: 192.168.111.0/24
Home public IP. 213.xxx.xxx.124
Home internal network: 192.168.0.0/24

Many thanks in advance!

/Lospilotos
0
Comment
Question by:lospilotos
  • 8
  • 3
  • 2
13 Comments
 
LVL 19

Expert Comment

by:Miguel Angel Perez Muñoz
ID: 35067009
Supposing that routing between home and office are ok, add a static route in home´s router:
dest: 212.xxx.xxx.173/24 gateway: IP internal at office.

I don´t know that router model has in home.
0
 

Author Comment

by:lospilotos
ID: 35067084
Thanks for the reply. That is exactly what I have tried. Starting to suspect something wrong with the home router. It is a consumer class router from Linksys, WRVS4400N.

When I add the route and then click "Show routing table" from the web config of the router, nothing is changed...
0
 

Author Comment

by:lospilotos
ID: 35067962
Let´s assume that the home router is defect in some way and will not allow me to create a static route using the gateway on the remote network. Is there any way of doing this on the local PC instead? ROUTE ADD 212.xxx.xxx.173 192.168.111.1 is accepted but does not work.
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 
LVL 19

Assisted Solution

by:Miguel Angel Perez Muñoz
Miguel Angel Perez Muñoz earned 63 total points
ID: 35068766
try this: route add 212.xxx.xxx.mask 255.255.255.255 173 192.168.111.1 metric 1
0
 

Author Comment

by:lospilotos
ID: 35069223
Thanks, but what you suggested produced the same result in the routing table as my previous -
route add 212.xxx.xxx.173 192.168.111.1
0
 
LVL 14

Expert Comment

by:SIM50
ID: 35069233
If I understand you correctly, you want to route from IPsec tunnel which connects your home to your office and then route to 3rd party site-to-site VPN. This is called hairpinning. On your ASA which terminates both VPN's, enter this command: same-security-traffic permit intra-interface.
0
 

Author Comment

by:lospilotos
ID: 35069390
SIM50: Not quite. The traffic from the office to the 3rd party is over normal internet. There is no VPN tunnel to the 3rd party. Just to make sure, I ran your command and there was no change. I also checked the ASA's log and the traffic is not hitting it at all.
0
 

Author Comment

by:lospilotos
ID: 35069408
This is what I´m trying to achieve:

PC ----WLAN----> Linksys ----VPN----> ASA ----Internet-----> 3rd party

This is what seems to happen

PC ----WLAN----> Linksys ----Internet-----> 3rd party
0
 

Accepted Solution

by:
lospilotos earned 0 total points
ID: 35069480
Response from Cisco/Linksys:

"The Wrvs4400n will not allow you to do a static route through the ipsec interface or tunnel.  All our small business devices only support connectivity to the default lan on the other side.

To get more than one network across the tunnel you would have to put your remote addresses together like 192.168.0.0 and 192.168.1.0 and do a subnet of 255.255.252.0 to access more than one network through the tunnel.

The only way to do a static route through a tunnel would be with one of our enterprise devices."


Thanks for your responses, which I´m sure would have worked if the Linksys product was up to par...
0
 
LVL 14

Expert Comment

by:SIM50
ID: 35069485
If it's not hitting the firewall then most likely your have split tunneling setup. Do you still have that static route setup? route add 212.xxx.xxx.173 192.168.111.1

By the way, here is the link to hairpinning on Cisco site: http://www.cisco.com/en/US/docs/security/asa/asa70/configuration/guide/vpnsysop.html#wp1042114 You would still need that command I posted above to route within the same interface.
0
 
LVL 14

Assisted Solution

by:SIM50
SIM50 earned 62 total points
ID: 35069511
You can setup a static route on your computer. If you use windows, the command in cmd is route add.
0
 

Author Comment

by:lospilotos
ID: 35069799
Please cancel my closing request so that I can award points instead to the partially helpful responses.
0
 

Author Closing Comment

by:lospilotos
ID: 35120595
Problem was related to the product in question not general TCP/IP. Got answer through product support site which was posted here for reference.
0

Featured Post

Connect further...control easier

With the ATEN CE624, you can now enjoy a high-quality visual experience powered by HDBaseT technology and the convenience of a single Cat6 cable to transmit uncompressed video with zero latency and multi-streaming for dual-view applications where remote access is required.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When you connect to your workplace's VPN, you may not notice that you are using your workplace's servers to serve up webpages.  This might be undesirable since the workplace can log all the places you've been.  It also might be very slow to load pag…
Let’s list some of the technologies that enable smooth teleworking. 
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question