Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Static routing through IPSec tunnel

Posted on 2011-03-07
13
Medium Priority
?
875 Views
Last Modified: 2012-05-11
Hello experts!

I need some help on setting up a static route through an IPSec tunnel to access a 3rd party server. The backgound is:

From our office network we are accessing a 3rd party server (212.xxx.xxx.173) that only allows access from specific IP-numbers, i.e. our external IP-number (82.xxx.xxx.64)

I also need to access the 3rd party when at home and before I used a PPTP connection to access our office network. Then I got an IP-number from the internal office network i.e. (192.168.111.15) and I could easily route my traffic with a ROUTE ADD 212.xxx.xxx.172 192.168.111.15.

Now the home and office network is connected with an IPSec tunnel which is much more practical, but then I do not know how to (if even possible) to route the connection to the 3rd party through my office network so that the request seems to be made from the authorized IP-number.

My guess would be that I need to set a static route in the home firewall but this has not suceeded.

Questions:

1. If I was to set up a static route on the home firewall, how should that look?
2. Is it possible to set up a static route on my PC on the home network that would achieve the same?

Details:

3rd party IP: 212.xxx.xxx.173
Office public IP: 82.xxx.xxx.64
Office internal network: 192.168.111.0/24
Home public IP. 213.xxx.xxx.124
Home internal network: 192.168.0.0/24

Many thanks in advance!

/Lospilotos
0
Comment
Question by:lospilotos
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 3
  • 2
13 Comments
 
LVL 19

Expert Comment

by:Miguel Angel Perez Muñoz
ID: 35067009
Supposing that routing between home and office are ok, add a static route in home´s router:
dest: 212.xxx.xxx.173/24 gateway: IP internal at office.

I don´t know that router model has in home.
0
 

Author Comment

by:lospilotos
ID: 35067084
Thanks for the reply. That is exactly what I have tried. Starting to suspect something wrong with the home router. It is a consumer class router from Linksys, WRVS4400N.

When I add the route and then click "Show routing table" from the web config of the router, nothing is changed...
0
 

Author Comment

by:lospilotos
ID: 35067962
Let´s assume that the home router is defect in some way and will not allow me to create a static route using the gateway on the remote network. Is there any way of doing this on the local PC instead? ROUTE ADD 212.xxx.xxx.173 192.168.111.1 is accepted but does not work.
0
WEBINAR - Latest Cyber Tips for Defense

Join the WatchGuard Threat Research Team on October 26th for an informative webinar featuring expert tips and tricks for defending your organization from today's latest cyber threats. Don't leave yourself vulnerable to attack. Register for the webinar today!

 
LVL 19

Assisted Solution

by:Miguel Angel Perez Muñoz
Miguel Angel Perez Muñoz earned 252 total points
ID: 35068766
try this: route add 212.xxx.xxx.mask 255.255.255.255 173 192.168.111.1 metric 1
0
 

Author Comment

by:lospilotos
ID: 35069223
Thanks, but what you suggested produced the same result in the routing table as my previous -
route add 212.xxx.xxx.173 192.168.111.1
0
 
LVL 14

Expert Comment

by:SIM50
ID: 35069233
If I understand you correctly, you want to route from IPsec tunnel which connects your home to your office and then route to 3rd party site-to-site VPN. This is called hairpinning. On your ASA which terminates both VPN's, enter this command: same-security-traffic permit intra-interface.
0
 

Author Comment

by:lospilotos
ID: 35069390
SIM50: Not quite. The traffic from the office to the 3rd party is over normal internet. There is no VPN tunnel to the 3rd party. Just to make sure, I ran your command and there was no change. I also checked the ASA's log and the traffic is not hitting it at all.
0
 

Author Comment

by:lospilotos
ID: 35069408
This is what I´m trying to achieve:

PC ----WLAN----> Linksys ----VPN----> ASA ----Internet-----> 3rd party

This is what seems to happen

PC ----WLAN----> Linksys ----Internet-----> 3rd party
0
 

Accepted Solution

by:
lospilotos earned 0 total points
ID: 35069480
Response from Cisco/Linksys:

"The Wrvs4400n will not allow you to do a static route through the ipsec interface or tunnel.  All our small business devices only support connectivity to the default lan on the other side.

To get more than one network across the tunnel you would have to put your remote addresses together like 192.168.0.0 and 192.168.1.0 and do a subnet of 255.255.252.0 to access more than one network through the tunnel.

The only way to do a static route through a tunnel would be with one of our enterprise devices."


Thanks for your responses, which I´m sure would have worked if the Linksys product was up to par...
0
 
LVL 14

Expert Comment

by:SIM50
ID: 35069485
If it's not hitting the firewall then most likely your have split tunneling setup. Do you still have that static route setup? route add 212.xxx.xxx.173 192.168.111.1

By the way, here is the link to hairpinning on Cisco site: http://www.cisco.com/en/US/docs/security/asa/asa70/configuration/guide/vpnsysop.html#wp1042114 You would still need that command I posted above to route within the same interface.
0
 
LVL 14

Assisted Solution

by:SIM50
SIM50 earned 248 total points
ID: 35069511
You can setup a static route on your computer. If you use windows, the command in cmd is route add.
0
 

Author Comment

by:lospilotos
ID: 35069799
Please cancel my closing request so that I can award points instead to the partially helpful responses.
0
 

Author Closing Comment

by:lospilotos
ID: 35120595
Problem was related to the product in question not general TCP/IP. Got answer through product support site which was posted here for reference.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Using Windows 2008 RRAS, I was able to successfully VPN into the network, but I was having problems restricting my test user from accessing certain things on the network.  I used Google in order to try to find out how to stop people from accessing c…
Network ports are the threads that hold network communication together. They are an essential part of networking that can be easily ignore or misunderstood, my goals is to show those who don't have a strong network foundation how network ports opera…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question