Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 881
  • Last Modified:

Static routing through IPSec tunnel

Hello experts!

I need some help on setting up a static route through an IPSec tunnel to access a 3rd party server. The backgound is:

From our office network we are accessing a 3rd party server (212.xxx.xxx.173) that only allows access from specific IP-numbers, i.e. our external IP-number (82.xxx.xxx.64)

I also need to access the 3rd party when at home and before I used a PPTP connection to access our office network. Then I got an IP-number from the internal office network i.e. (192.168.111.15) and I could easily route my traffic with a ROUTE ADD 212.xxx.xxx.172 192.168.111.15.

Now the home and office network is connected with an IPSec tunnel which is much more practical, but then I do not know how to (if even possible) to route the connection to the 3rd party through my office network so that the request seems to be made from the authorized IP-number.

My guess would be that I need to set a static route in the home firewall but this has not suceeded.

Questions:

1. If I was to set up a static route on the home firewall, how should that look?
2. Is it possible to set up a static route on my PC on the home network that would achieve the same?

Details:

3rd party IP: 212.xxx.xxx.173
Office public IP: 82.xxx.xxx.64
Office internal network: 192.168.111.0/24
Home public IP. 213.xxx.xxx.124
Home internal network: 192.168.0.0/24

Many thanks in advance!

/Lospilotos
0
lospilotos
Asked:
lospilotos
  • 8
  • 3
  • 2
3 Solutions
 
Miguel Angel Perez MuñozCommented:
Supposing that routing between home and office are ok, add a static route in home´s router:
dest: 212.xxx.xxx.173/24 gateway: IP internal at office.

I don´t know that router model has in home.
0
 
lospilotosAuthor Commented:
Thanks for the reply. That is exactly what I have tried. Starting to suspect something wrong with the home router. It is a consumer class router from Linksys, WRVS4400N.

When I add the route and then click "Show routing table" from the web config of the router, nothing is changed...
0
 
lospilotosAuthor Commented:
Let´s assume that the home router is defect in some way and will not allow me to create a static route using the gateway on the remote network. Is there any way of doing this on the local PC instead? ROUTE ADD 212.xxx.xxx.173 192.168.111.1 is accepted but does not work.
0
NEW Internet Security Report Now Available!

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out this quarters report on the threats that shook the industry in Q4 2017.

 
Miguel Angel Perez MuñozCommented:
try this: route add 212.xxx.xxx.mask 255.255.255.255 173 192.168.111.1 metric 1
0
 
lospilotosAuthor Commented:
Thanks, but what you suggested produced the same result in the routing table as my previous -
route add 212.xxx.xxx.173 192.168.111.1
0
 
SIM50Commented:
If I understand you correctly, you want to route from IPsec tunnel which connects your home to your office and then route to 3rd party site-to-site VPN. This is called hairpinning. On your ASA which terminates both VPN's, enter this command: same-security-traffic permit intra-interface.
0
 
lospilotosAuthor Commented:
SIM50: Not quite. The traffic from the office to the 3rd party is over normal internet. There is no VPN tunnel to the 3rd party. Just to make sure, I ran your command and there was no change. I also checked the ASA's log and the traffic is not hitting it at all.
0
 
lospilotosAuthor Commented:
This is what I´m trying to achieve:

PC ----WLAN----> Linksys ----VPN----> ASA ----Internet-----> 3rd party

This is what seems to happen

PC ----WLAN----> Linksys ----Internet-----> 3rd party
0
 
lospilotosAuthor Commented:
Response from Cisco/Linksys:

"The Wrvs4400n will not allow you to do a static route through the ipsec interface or tunnel.  All our small business devices only support connectivity to the default lan on the other side.

To get more than one network across the tunnel you would have to put your remote addresses together like 192.168.0.0 and 192.168.1.0 and do a subnet of 255.255.252.0 to access more than one network through the tunnel.

The only way to do a static route through a tunnel would be with one of our enterprise devices."


Thanks for your responses, which I´m sure would have worked if the Linksys product was up to par...
0
 
SIM50Commented:
If it's not hitting the firewall then most likely your have split tunneling setup. Do you still have that static route setup? route add 212.xxx.xxx.173 192.168.111.1

By the way, here is the link to hairpinning on Cisco site: http://www.cisco.com/en/US/docs/security/asa/asa70/configuration/guide/vpnsysop.html#wp1042114 You would still need that command I posted above to route within the same interface.
0
 
SIM50Commented:
You can setup a static route on your computer. If you use windows, the command in cmd is route add.
0
 
lospilotosAuthor Commented:
Please cancel my closing request so that I can award points instead to the partially helpful responses.
0
 
lospilotosAuthor Commented:
Problem was related to the product in question not general TCP/IP. Got answer through product support site which was posted here for reference.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Building an Effective Phishing Protection Program

Join Director of Product Management Todd OBoyle on April 26th as he covers the key elements of a phishing protection program. Whether you’re an old hat at phishing education or considering starting a program -- we'll discuss critical components that should be in any program.

  • 8
  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now