Solved

Routing issues with VPN and remote users

Posted on 2011-09-15
29
541 Views
Last Modified: 2012-05-12
Hello,

I have the following network setup that i took over.

I have 5 External Ip addresses.

Hosted provider- vpn connection made with cisco - lan= 10.55.4.0

main office:
ISP- 65.143.8.139 gateway 65.143.8.137 -> cisco (firewall)5505 10.55.2.1
ISP- 65.143.8.138 gateway 65.143.8.137-> pfsense (vpn box) 10.55.2.251

** the pfsense and cisco box share a dell switch

remote user:
isp 98.211.195.166 -> linksys rvl200 10.55.102.1 ( this has a VPN to pfsense box)


The remote user cannot access all devices on the 10.55.2.0 network and they cannot access the 10.55.4.0 network.

I just took this mess over and i know static routes are the answer but i dont know where to add them.

thanks
0
Comment
Question by:mdflinux
  • 14
  • 8
  • 2
  • +3
29 Comments
 
LVL 18

Expert Comment

by:fgasimzade
ID: 36545953
Make sure you have routes properly configured between networks
0
 
LVL 18

Expert Comment

by:jmeggers
ID: 36546110
Static routes may NOT be the answer, there are other things that can affect traffic flows when IPSec is in play.  I'm not clear on the exact topology, e.g., is the VPN box along side the ASA, or sitting in a DMZ, etc.?.  Can you post a diagram?
0
 

Author Comment

by:mdflinux
ID: 36546315
Here is the network diagram, thanks for the help. NETWORK DIAGRAM
0
 

Author Comment

by:mdflinux
ID: 36546323
the host provider has a lan of 10.55.4.0
0
 
LVL 6

Expert Comment

by:Sanjeevloke
ID: 36548121
Is the VPN established ..
can u put a traceroute from  user machine to 10.55.2.251
0
 

Author Comment

by:mdflinux
ID: 36551176
yes the vpn between thew remote user and our offcie is working because we have ip phones and he is able to connect to our avaya phone manager but he cannot access our LAN.

the traceroute to 10.55.2.251 works fine.
0
 
LVL 18

Expert Comment

by:fgasimzade
ID: 36551203
What is remote users subnet? Doest provider has a route to remote user's subnet?
0
 

Author Comment

by:mdflinux
ID: 36551223
remote user LAN 10.55.102.0. which provider, ISP or Hosting Provider?

thanks
0
 
LVL 18

Expert Comment

by:fgasimzade
ID: 36551235
You say remote users can not access 10.55.4.0 network which is your host provider. Does this host provider have a route to remote users's subnet?


0
 

Author Comment

by:mdflinux
ID: 36551249
not sure, but probably not. how about to have the remote user access our subnet 10.55.2.0

thanks
0
 
LVL 18

Expert Comment

by:fgasimzade
ID: 36551270
Well, your host provider needs a route to access remote users subnet.


If  traceroute to 10.55.2.251 works fine, then remote users can access this network. What exactly then can not accesS?
0
 

Author Comment

by:mdflinux
ID: 36551287
can't ping or remote into anything on 10.55.2.0 subnet.

all of the 10.55.2.0 subnet goes through the gateway (cisco router) 10.55.2.1.  could this be an issue.

the remote user cannot tracert the cisco router 10.55.2.1

thanks
0
 
LVL 18

Expert Comment

by:fgasimzade
ID: 36551312
Make sure there is a route on that router pointing to remote subnet
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 

Author Comment

by:mdflinux
ID: 36551355
i did static route from 10.55.2.1 to 10.55.102.0 255.255.255.0 gateway 10.55.2.251

did not work
0
 
LVL 18

Expert Comment

by:fgasimzade
ID: 36551367
Can you ping 10.55.102.0 from 10.55.2.251? Have got split tunneling configured on remote users?
0
 

Author Comment

by:mdflinux
ID: 36551384
i can successfully ping 10.55.102.1 from 10.55.2.251
0
 
LVL 18

Expert Comment

by:fgasimzade
ID: 36551389
Have got split tunneling configured on remote users?
0
 

Author Comment

by:mdflinux
ID: 36551474
the rvl 200 the user has i believe has split tunneling enabled and it does not have the option to disable.  

thanks
0
 
LVL 18

Expert Comment

by:fgasimzade
ID: 36551491
You need to add your subnets (10.55.2.0 and 10.55.4.0) to the split tunneling configuration
0
 

Author Comment

by:mdflinux
ID: 36551638
i dont see where to edit split tunneling in rvl 200 router
0
 
LVL 36

Accepted Solution

by:
ArneLovius earned 500 total points
ID: 36553587
On the Cisco VPN between the core LAN and the hosting provider, you should have the following traffic covered by a crypto map

10.55.4.0/24 - 10.55.2.0/24
10.55.4.0/24 - 10.55.102.0/24

You also need a static route on the core LAN Cisco

10.5.102.0 255.255.255.0 10.5.2.251

On the pfsense to linksys vpn, you should have the following traffic covered by a crypto map

10.55.102.0/24 - 10.55.2.0/24
10.55.102.0/24 - 10.55.4.0/24

on the pfsense firewall you should have the following static route

10.5.4.0 255.255.255.0 10.5.2.1


ideally you would also have a L3 device on the core lan that is the default gateway for all devices on the core LAN, this device would have the Cisco as the default gateway, and a static route for VPNs connected to the pfsense box. If this is not possible, you will need to enable "same-security-traffic permit intra-interface" on the Cisco.


0
 

Author Comment

by:mdflinux
ID: 36568678
i am working on trying your solutions and will report back on the results.

thank you
0
 
LVL 8

Expert Comment

by:Salah Eddine ELMRABET
ID: 37519067
Hi,

Could you please explain why to use Linksys and Pfsense and Cisco router witch ASA5505?? Also I can't see the ASA in the drawing!.

Mybe you can easly solve the problem if you think about a good architecture.

BR
0
 

Author Comment

by:mdflinux
ID: 37599837
After learning a bit more and using some of your comments for guidance i will be changing our network setup and our  vpn users come in. i will use 1 router instead of 2.

again i thank you all for your help.
0
 

Author Comment

by:mdflinux
ID: 37607415
I've requested that this question be closed as follows:

Accepted answer: 0 points for mdflinux's comment #37599837

for the following reason:

instead of forcing something to work i decided to redo it the correct way.
0
 
LVL 36

Expert Comment

by:ArneLovius
ID: 37607416
Just because the OP made a decision to go another way does not invalidate the answer that I provided in 36553587
0
 

Author Comment

by:mdflinux
ID: 37607524
I don't want to annoy anyone. i appreciate the previous help but i did not try your solution to see if it would work. instead our needs have changed and we are moving, which is giving me the opportunity to set up the network differently. we are also losing the hosting provider.

to be a good sport and for the sake of learning i will try your solution and report back. give me 2 weeks.

thank you
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

For a while, I have wanted to connect my HTC Incredible to my corporate network to take advantage of the phone's powerful capabilities. I searched online and came up with varied answers from "it won't work" to super complicated statements that I did…
Problem Description:   Couple of months ago we upgraded the ADSL line at our branch office from Home to Business line. The purpose of transforming the service to have static public IP’s. We were in need for public IP’s to publish our web resour…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now