Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 878
  • Last Modified:

Static routing through IPSec tunnel

Hello experts!

I need some help on setting up a static route through an IPSec tunnel to access a 3rd party server. The backgound is:

From our office network we are accessing a 3rd party server (212.xxx.xxx.173) that only allows access from specific IP-numbers, i.e. our external IP-number (82.xxx.xxx.64)

I also need to access the 3rd party when at home and before I used a PPTP connection to access our office network. Then I got an IP-number from the internal office network i.e. (192.168.111.15) and I could easily route my traffic with a ROUTE ADD 212.xxx.xxx.172 192.168.111.15.

Now the home and office network is connected with an IPSec tunnel which is much more practical, but then I do not know how to (if even possible) to route the connection to the 3rd party through my office network so that the request seems to be made from the authorized IP-number.

My guess would be that I need to set a static route in the home firewall but this has not suceeded.

Questions:

1. If I was to set up a static route on the home firewall, how should that look?
2. Is it possible to set up a static route on my PC on the home network that would achieve the same?

Details:

3rd party IP: 212.xxx.xxx.173
Office public IP: 82.xxx.xxx.64
Office internal network: 192.168.111.0/24
Home public IP. 213.xxx.xxx.124
Home internal network: 192.168.0.0/24

Many thanks in advance!

/Lospilotos
0
lospilotos
Asked:
lospilotos
  • 8
  • 3
  • 2
3 Solutions
 
Miguel Angel Perez MuñozCommented:
Supposing that routing between home and office are ok, add a static route in home´s router:
dest: 212.xxx.xxx.173/24 gateway: IP internal at office.

I don´t know that router model has in home.
0
 
lospilotosAuthor Commented:
Thanks for the reply. That is exactly what I have tried. Starting to suspect something wrong with the home router. It is a consumer class router from Linksys, WRVS4400N.

When I add the route and then click "Show routing table" from the web config of the router, nothing is changed...
0
 
lospilotosAuthor Commented:
Let´s assume that the home router is defect in some way and will not allow me to create a static route using the gateway on the remote network. Is there any way of doing this on the local PC instead? ROUTE ADD 212.xxx.xxx.173 192.168.111.1 is accepted but does not work.
0
Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

 
Miguel Angel Perez MuñozCommented:
try this: route add 212.xxx.xxx.mask 255.255.255.255 173 192.168.111.1 metric 1
0
 
lospilotosAuthor Commented:
Thanks, but what you suggested produced the same result in the routing table as my previous -
route add 212.xxx.xxx.173 192.168.111.1
0
 
SIM50Commented:
If I understand you correctly, you want to route from IPsec tunnel which connects your home to your office and then route to 3rd party site-to-site VPN. This is called hairpinning. On your ASA which terminates both VPN's, enter this command: same-security-traffic permit intra-interface.
0
 
lospilotosAuthor Commented:
SIM50: Not quite. The traffic from the office to the 3rd party is over normal internet. There is no VPN tunnel to the 3rd party. Just to make sure, I ran your command and there was no change. I also checked the ASA's log and the traffic is not hitting it at all.
0
 
lospilotosAuthor Commented:
This is what I´m trying to achieve:

PC ----WLAN----> Linksys ----VPN----> ASA ----Internet-----> 3rd party

This is what seems to happen

PC ----WLAN----> Linksys ----Internet-----> 3rd party
0
 
lospilotosAuthor Commented:
Response from Cisco/Linksys:

"The Wrvs4400n will not allow you to do a static route through the ipsec interface or tunnel.  All our small business devices only support connectivity to the default lan on the other side.

To get more than one network across the tunnel you would have to put your remote addresses together like 192.168.0.0 and 192.168.1.0 and do a subnet of 255.255.252.0 to access more than one network through the tunnel.

The only way to do a static route through a tunnel would be with one of our enterprise devices."


Thanks for your responses, which I´m sure would have worked if the Linksys product was up to par...
0
 
SIM50Commented:
If it's not hitting the firewall then most likely your have split tunneling setup. Do you still have that static route setup? route add 212.xxx.xxx.173 192.168.111.1

By the way, here is the link to hairpinning on Cisco site: http://www.cisco.com/en/US/docs/security/asa/asa70/configuration/guide/vpnsysop.html#wp1042114 You would still need that command I posted above to route within the same interface.
0
 
SIM50Commented:
You can setup a static route on your computer. If you use windows, the command in cmd is route add.
0
 
lospilotosAuthor Commented:
Please cancel my closing request so that I can award points instead to the partially helpful responses.
0
 
lospilotosAuthor Commented:
Problem was related to the product in question not general TCP/IP. Got answer through product support site which was posted here for reference.
0

Featured Post

Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

  • 8
  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now