[TriLUG] OT: Need some more networking tips, PIX-501
Brian Henning
brian at strutmasters.com
Mon Sep 12 12:40:42 EDT 2005
Yeah. The actual VPN aspect doesn't appear to be the problem. The
problem appears to be that the PIX isn't matching packets bound for
192.168.100.0/24, despite the access-list entry.
Static routing across networks I have been able to do. That's not the
problem. The problem is getting the PIX to route 192.168.100.0/24
across the VPN like it's supposed to do. Again, it works perfectly if
the only change I make is substituting "10.12.14.0/24" in place of all
instances of "192.168.100.0/24".
~Brian
Shane O'Donnell wrote:
> This _can_ work. Have you tried it without firewalls/VPN involved
> (e.g., static routes)?
>
> Also, your VPN has to be tied to publicly routable addresses, not your
> 192.168. or 10. addresses - I'm assuming you've got that taken care
> of...
>
> Shane O.
>
> On 9/12/05, Brian Henning <brian at strutmasters.com> wrote:
>
>>Hi List,
>> I'm here again exercising my ignorance in networking. I have
>>something going on that I don't understand and can't seem to figure out
>>on my own, in trying to configure routing across a VPN.
>>
>>I'm using a Cisco PIX-501 as the endpoint of the VPN.
>>
>>Here's the situation I'm /trying/ to create, which doesn't want to work:
>>
>>Here {{ internet }} There
>>192.168.1.0/24 -> vpn -> 192.168.100.0/24
>>
>>I already have an established VPN to another location which uses
>>10.x.x.x for internal addresses, and it works fine. Here's the real
>>important bits from the PIX config, which appears to highlight the
>>sticking point.
>>
>>nat (inside) 0 access-list vpnnat
>>
>>access-list vpnnat line 1 permit ip 192.168.1.0 255.255.255.0 10.12.14.0
>>255.255.255.0 (hitcnt=29381)
>>access-list vpnnat line 2 permit ip 192.168.1.0 255.255.255.0
>>192.168.100.0 255.255.255.0 (hitcnt=0)
>>
>>I've tried a number of varying access-list configurations and uncovered
>>a pattern that I can predict but do not understand. When a host on my
>>network tries to send packets (ping packets in this case) to an address
>>that matches acl vpnnat line 1 (i.e. ping 10.12.14.x), the hitcnt for
>>that line goes up, as expected. However, when I try to send packets to
>>an address that matches line 2 (i.e. ping 192.168.100.x), the hitcnt for
>>line 2 does not go up. This is the behavior I'd really like to understand.
>>
>>Is it because, in the case of line 2, they're both on the same class-B
>>unroutable network, *even though the mask is a class-C mask*? Am I
>>locked into using a 10.x.x.x address space on the far end of my second VPN?
>>
>>Anyway, thanks in advance for the insight.
>>
>>Cheers,
>>~Brian
>>--
>>TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
>>TriLUG Organizational FAQ : http://trilug.org/faq/
>>TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
>>TriLUG PGP Keyring : http://trilug.org/~chrish/trilug.asc
>>
>
>
>
More information about the TriLUG
mailing list