Handersson75
asked on
Problem setup VPN
Dear expert
Im trying to setup a vpn to our network but i simply cant get it works. The connection mapp like this:
Internet -> Cisco (Firewall) (One public ip) -> pfSense (Firewall) (Another public IP)(VPN which not works) -> LAN
The problem im having is connection with 2 firewall... I know I could connect the wan directly to internet but our internet modem didnt allow us to do it...
From Cisco I did a NAT rule that NAT the pfSense firewall private IP to public IP, i also opened PPTP port and GRE port in Cisco. Im trying to use PPTP connect from the LAN, it works perfectly no problem at all. I also did try connect to public IP of the pfSense, it works. When Im trying to connect from mobile (mobile internet, outside our LAN) it didnt work, I received the PPTP not answering problem... I also tried to ping out from pfSense to google.com it didnt work too. Well I dont know what i did wrong. I know Cisco got VPN also but we are cheap the license cost so we used a open firewall.
Could anyone give me some advice please.
Thank you.
Im trying to setup a vpn to our network but i simply cant get it works. The connection mapp like this:
Internet -> Cisco (Firewall) (One public ip) -> pfSense (Firewall) (Another public IP)(VPN which not works) -> LAN
The problem im having is connection with 2 firewall... I know I could connect the wan directly to internet but our internet modem didnt allow us to do it...
From Cisco I did a NAT rule that NAT the pfSense firewall private IP to public IP, i also opened PPTP port and GRE port in Cisco. Im trying to use PPTP connect from the LAN, it works perfectly no problem at all. I also did try connect to public IP of the pfSense, it works. When Im trying to connect from mobile (mobile internet, outside our LAN) it didnt work, I received the PPTP not answering problem... I also tried to ping out from pfSense to google.com it didnt work too. Well I dont know what i did wrong. I know Cisco got VPN also but we are cheap the license cost so we used a open firewall.
Could anyone give me some advice please.
Thank you.
ASKER
THx for the fast reply, we got 10 public IP from ISP. That we can use.
Ok, because in you drawing you said the cisco (which is at the outside) has one public ip. So it's one from a range?
Then take one of those other ip's, make a static to the pfSense's ip, open up port 1723 and protocol 47. You should be able to get through.
The only thing is how the ip's are set up on the cisco and the pfsense. The cisco has a public ip at the outside, how about the inside? Because you said the pfsense also has a public ip (at the outside? so how about the inside?).
Could you give an example of that? Don't need to know your public addresses, just put in something similar with the same subnet masks.
Then take one of those other ip's, make a static to the pfSense's ip, open up port 1723 and protocol 47. You should be able to get through.
The only thing is how the ip's are set up on the cisco and the pfsense. The cisco has a public ip at the outside, how about the inside? Because you said the pfsense also has a public ip (at the outside? so how about the inside?).
Could you give an example of that? Don't need to know your public addresses, just put in something similar with the same subnet masks.
ASKER
ya the drawing wasnt really clear, cisco got a public IP stored, and pfSense also got one public IP stored, both IPs are diffirent. protocol 47 is GRE tho, its opened at Cisco, its not opened in pfSense tho... Do i need to open it too?
I will explain with ips hope it will go easier:
Internet 209.82.23.13 -> cisco (inside ip: 10.0.0.250) -> pfsense (outside ip: 209.82.23.14, inside ip: 10.0.0.1) -> LAN (10.0.0.2 -> 10.0.0.249)
I hope this make it more clear?
I will explain with ips hope it will go easier:
Internet 209.82.23.13 -> cisco (inside ip: 10.0.0.250) -> pfsense (outside ip: 209.82.23.14, inside ip: 10.0.0.1) -> LAN (10.0.0.2 -> 10.0.0.249)
I hope this make it more clear?
Not yet..........
So the cisco is connected with it's inside interface (10.0.0.250) to the pfsense's outside (209.82.23.14) ? How did you get that to work?
Second, why is the pfsense there? Can't that be removed because that would simplify things a lot. I read you said something about a modem but that doesn't make it clear yet why you put in two firewalls.
Enlighten me ;)
So the cisco is connected with it's inside interface (10.0.0.250) to the pfsense's outside (209.82.23.14) ? How did you get that to work?
Second, why is the pfsense there? Can't that be removed because that would simplify things a lot. I read you said something about a modem but that doesn't make it clear yet why you put in two firewalls.
Enlighten me ;)
ASKER
:) The pfSense is only for the use of the VPN connections, that is why we are using 2 firewall, as i said the Cisco got VPN licenses but its expensive with the license so I put a open firewall which is free and better hardware.
I think my drawing to explain didnt make it easier :p here is what I want to be:
internet -> Cisco -> LAN
internet -> pfSense -> LAN
But I connected Cisco and Pfsense together, but interfaces WAN is still diffirent, will it works? pre config you need 2 internet port in ADSL modem to make it works, but we got only one, that is why we must connect that way...
I think my drawing to explain didnt make it easier :p here is what I want to be:
internet -> Cisco -> LAN
internet -> pfSense -> LAN
But I connected Cisco and Pfsense together, but interfaces WAN is still diffirent, will it works? pre config you need 2 internet port in ADSL modem to make it works, but we got only one, that is why we must connect that way...
Have you thought about setting up IPSec VPN (using Cisco secure client if you have that or the shrew client: http://www.shrew.net/).
With a base license on the 5505 you can set it up for 10 peers. And on a 5505 you don't want more than that ;)
With a base license on the 5505 you can set it up for 10 peers. And on a 5505 you don't want more than that ;)
ASKER
pfSense can support up to 254 VPN clients... so which one I choice you think? :)
That's a tough one, let me think....
:)
Ok, let's see. You have a modem which is connected to the internet. Does the modem have an ip of it's own in the 209.82.23.x range? In other words: is the modem the default gateway for the ASA?
If that is the case, you should be able to put a little switch behind the modem and connect the ASA and pfSense to that, thus creating the setup you want.
If not it depends a bit on the setup, but I still think we should be able to get this to work.
:)
Ok, let's see. You have a modem which is connected to the internet. Does the modem have an ip of it's own in the 209.82.23.x range? In other words: is the modem the default gateway for the ASA?
If that is the case, you should be able to put a little switch behind the modem and connect the ASA and pfSense to that, thus creating the setup you want.
If not it depends a bit on the setup, but I still think we should be able to get this to work.
ASKER
ok... I just did what you said, I also called the ISP to ask if they can see the public IP and they can, now the pptp connection still not working... i got pptp server not answering message... I check the pfSense firewall log, the connection seems connecting but it just wouldnt connect...
the connection seems connecting but it just wouldnt connect
?
Could you post (part of) the log? Getting curious here.
?
Could you post (part of) the log? Getting curious here.
ASKER
im checking the log now, what i mean was the firewall live activity scanner, it can live scan all the traffic which passing through pfSense... in there i saw the ip of my mobile device and port.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Mate, I was stupid, I forgot setting up the gateway :p now its working, thx for the help.
Cheers mate!
Thx for the points.
Thx for the points.
What you could try to do is to terminate the vpn on the cisco and open up the pfSense for the ip that the remote(s) get. That way you should be able to connect to the LAN.