[TriLUG] OT: Need some more networking tips, PIX-501

Brian Henning brian at strutmasters.com
Mon Sep 12 12:40:42 EDT 2005


Yeah.  The actual VPN aspect doesn't appear to be the problem.  The 
problem appears to be that the PIX isn't matching packets bound for 
192.168.100.0/24, despite the access-list entry.

Static routing across networks I have been able to do.  That's not the 
problem.  The problem is getting the PIX to route 192.168.100.0/24 
across the VPN like it's supposed to do.  Again, it works perfectly if 
the only change I make is substituting "10.12.14.0/24" in place of all 
instances of "192.168.100.0/24".

~Brian

Shane O'Donnell wrote:
> This _can_ work.  Have you tried it without firewalls/VPN involved
> (e.g., static routes)?
> 
> Also, your VPN has to be tied to publicly routable addresses, not your
> 192.168. or 10. addresses - I'm assuming you've got that taken care
> of...
> 
> Shane O.
> 
> On 9/12/05, Brian Henning <brian at strutmasters.com> wrote:
> 
>>Hi List,
>>   I'm here again exercising my ignorance in networking.  I have
>>something going on that I don't understand and can't seem to figure out
>>on my own, in trying to configure routing across a VPN.
>>
>>I'm using a Cisco PIX-501 as the endpoint of the VPN.
>>
>>Here's the situation I'm /trying/ to create, which doesn't want to work:
>>
>>Here        {{ internet }}     There
>>192.168.1.0/24 -> vpn ->    192.168.100.0/24
>>
>>I already have an established VPN to another location which uses
>>10.x.x.x for internal addresses, and it works fine.  Here's the real
>>important bits from the PIX config, which appears to highlight the
>>sticking point.
>>
>>nat (inside) 0 access-list vpnnat
>>
>>access-list vpnnat line 1 permit ip 192.168.1.0 255.255.255.0 10.12.14.0
>>255.255.255.0 (hitcnt=29381)
>>access-list vpnnat line 2 permit ip 192.168.1.0 255.255.255.0
>>192.168.100.0 255.255.255.0 (hitcnt=0)
>>
>>I've tried a number of varying access-list configurations and uncovered
>>a pattern that I can predict but do not understand.  When a host on my
>>network tries to send packets (ping packets in this case) to an address
>>that matches acl vpnnat line 1 (i.e. ping 10.12.14.x), the hitcnt for
>>that line goes up, as expected.  However, when I try to send packets to
>>an address that matches line 2 (i.e. ping 192.168.100.x), the hitcnt for
>>line 2 does not go up.  This is the behavior I'd really like to understand.
>>
>>Is it because, in the case of line 2, they're both on the same class-B
>>unroutable network, *even though the mask is a class-C mask*?  Am I
>>locked into using a 10.x.x.x address space on the far end of my second VPN?
>>
>>Anyway, thanks in advance for the insight.
>>
>>Cheers,
>>~Brian
>>--
>>TriLUG mailing list        : http://www.trilug.org/mailman/listinfo/trilug
>>TriLUG Organizational FAQ  : http://trilug.org/faq/
>>TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
>>TriLUG PGP Keyring         : http://trilug.org/~chrish/trilug.asc
>>
> 
> 
> 



More information about the TriLUG mailing list