Routing issues with VPN and remote users

Hello,

I have the following network setup that i took over.

I have 5 External Ip addresses.

Hosted provider- vpn connection made with cisco - lan= 10.55.4.0

main office:
ISP- 65.143.8.139 gateway 65.143.8.137 -> cisco (firewall)5505 10.55.2.1
ISP- 65.143.8.138 gateway 65.143.8.137-> pfsense (vpn box) 10.55.2.251

** the pfsense and cisco box share a dell switch

remote user:
isp 98.211.195.166 -> linksys rvl200 10.55.102.1 ( this has a VPN to pfsense box)


The remote user cannot access all devices on the 10.55.2.0 network and they cannot access the 10.55.4.0 network.

I just took this mess over and i know static routes are the answer but i dont know where to add them.

thanks
mdflinuxAsked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
ArneLoviusConnect With a Mentor Commented:
On the Cisco VPN between the core LAN and the hosting provider, you should have the following traffic covered by a crypto map

10.55.4.0/24 - 10.55.2.0/24
10.55.4.0/24 - 10.55.102.0/24

You also need a static route on the core LAN Cisco

10.5.102.0 255.255.255.0 10.5.2.251

On the pfsense to linksys vpn, you should have the following traffic covered by a crypto map

10.55.102.0/24 - 10.55.2.0/24
10.55.102.0/24 - 10.55.4.0/24

on the pfsense firewall you should have the following static route

10.5.4.0 255.255.255.0 10.5.2.1


ideally you would also have a L3 device on the core lan that is the default gateway for all devices on the core LAN, this device would have the Cisco as the default gateway, and a static route for VPNs connected to the pfsense box. If this is not possible, you will need to enable "same-security-traffic permit intra-interface" on the Cisco.


0
 
fgasimzadeCommented:
Make sure you have routes properly configured between networks
0
 
jmeggersSr. Network and Security EngineerCommented:
Static routes may NOT be the answer, there are other things that can affect traffic flows when IPSec is in play.  I'm not clear on the exact topology, e.g., is the VPN box along side the ASA, or sitting in a DMZ, etc.?.  Can you post a diagram?
0
Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

 
mdflinuxAuthor Commented:
Here is the network diagram, thanks for the help. NETWORK DIAGRAM
0
 
mdflinuxAuthor Commented:
the host provider has a lan of 10.55.4.0
0
 
SanjeevlokeCommented:
Is the VPN established ..
can u put a traceroute from  user machine to 10.55.2.251
0
 
mdflinuxAuthor Commented:
yes the vpn between thew remote user and our offcie is working because we have ip phones and he is able to connect to our avaya phone manager but he cannot access our LAN.

the traceroute to 10.55.2.251 works fine.
0
 
fgasimzadeCommented:
What is remote users subnet? Doest provider has a route to remote user's subnet?
0
 
mdflinuxAuthor Commented:
remote user LAN 10.55.102.0. which provider, ISP or Hosting Provider?

thanks
0
 
fgasimzadeCommented:
You say remote users can not access 10.55.4.0 network which is your host provider. Does this host provider have a route to remote users's subnet?


0
 
mdflinuxAuthor Commented:
not sure, but probably not. how about to have the remote user access our subnet 10.55.2.0

thanks
0
 
fgasimzadeCommented:
Well, your host provider needs a route to access remote users subnet.


If  traceroute to 10.55.2.251 works fine, then remote users can access this network. What exactly then can not accesS?
0
 
mdflinuxAuthor Commented:
can't ping or remote into anything on 10.55.2.0 subnet.

all of the 10.55.2.0 subnet goes through the gateway (cisco router) 10.55.2.1.  could this be an issue.

the remote user cannot tracert the cisco router 10.55.2.1

thanks
0
 
fgasimzadeCommented:
Make sure there is a route on that router pointing to remote subnet
0
 
mdflinuxAuthor Commented:
i did static route from 10.55.2.1 to 10.55.102.0 255.255.255.0 gateway 10.55.2.251

did not work
0
 
fgasimzadeCommented:
Can you ping 10.55.102.0 from 10.55.2.251? Have got split tunneling configured on remote users?
0
 
mdflinuxAuthor Commented:
i can successfully ping 10.55.102.1 from 10.55.2.251
0
 
fgasimzadeCommented:
Have got split tunneling configured on remote users?
0
 
mdflinuxAuthor Commented:
the rvl 200 the user has i believe has split tunneling enabled and it does not have the option to disable.  

thanks
0
 
fgasimzadeCommented:
You need to add your subnets (10.55.2.0 and 10.55.4.0) to the split tunneling configuration
0
 
mdflinuxAuthor Commented:
i dont see where to edit split tunneling in rvl 200 router
0
 
mdflinuxAuthor Commented:
i am working on trying your solutions and will report back on the results.

thank you
0
 
Salah Eddine ELMRABETTechnical Lead Manager (Owner)Commented:
Hi,

Could you please explain why to use Linksys and Pfsense and Cisco router witch ASA5505?? Also I can't see the ASA in the drawing!.

Mybe you can easly solve the problem if you think about a good architecture.

BR
0
 
mdflinuxAuthor Commented:
After learning a bit more and using some of your comments for guidance i will be changing our network setup and our  vpn users come in. i will use 1 router instead of 2.

again i thank you all for your help.
0
 
mdflinuxAuthor Commented:
I've requested that this question be closed as follows:

Accepted answer: 0 points for mdflinux's comment #37599837

for the following reason:

instead of forcing something to work i decided to redo it the correct way.
0
 
ArneLoviusCommented:
Just because the OP made a decision to go another way does not invalidate the answer that I provided in 36553587
0
 
mdflinuxAuthor Commented:
I don't want to annoy anyone. i appreciate the previous help but i did not try your solution to see if it would work. instead our needs have changed and we are moving, which is giving me the opportunity to set up the network differently. we are also losing the hosting provider.

to be a good sport and for the sake of learning i will try your solution and report back. give me 2 weeks.

thank you
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.