Need Site to Site VPN Help. How to route to a network not directly connected through VPN

Discussion in 'Cisco' started by Evolution, Apr 11, 2006.

  1. Evolution

    Evolution Guest

    I don't think this should be too hard, but I have a general question. I
    setup a Site to Site VPN between a Pix 515 and Pix 501(Easy Enough).
    The hard part is getting the internal networks to talk. I network the
    PCs is on connects to a Proxy Server, which then connects to the PIX
    515. The PC network is 10.1.0.0/16 and the Proxy Server has an
    interface on that LAN, and the network directly connected to the PIX
    515(192.168.100.0/24) as well. The remote LAN that I'm trying to access
    is 10.4.1.0/24. My ACL for NONAT is setup between 10.1.0.0 and
    10.4.1.0. I'm not sure if I have to NONAT between 192.168.100.0 and
    10.4.1.0, and then add a route into the Proxy Server, or if I keep it
    the way I have, and then add some sort of "route inside or outside"
    command to the PIX. Any help would be greatly appreciated. A diagram of
    the config can be found here:
    http://img140.imageshack.us/img140/1298/vpnhelp2qw.jpg

    THANKS for the HELP!
     
    Evolution, Apr 11, 2006
    #1
    1. Advertising

  2. Re: Need Site to Site VPN Help. How to route to a network not directlyconnected through VPN

    Evolution wrote:
    > I don't think this should be too hard, but I have a general question. I
    > setup a Site to Site VPN between a Pix 515 and Pix 501(Easy Enough).
    > The hard part is getting the internal networks to talk. I network the
    > PCs is on connects to a Proxy Server, which then connects to the PIX
    > 515. The PC network is 10.1.0.0/16 and the Proxy Server has an
    > interface on that LAN, and the network directly connected to the PIX
    > 515(192.168.100.0/24) as well. The remote LAN that I'm trying to access
    > is 10.4.1.0/24. My ACL for NONAT is setup between 10.1.0.0 and
    > 10.4.1.0. I'm not sure if I have to NONAT between 192.168.100.0 and
    > 10.4.1.0, and then add a route into the Proxy Server, or if I keep it
    > the way I have, and then add some sort of "route inside or outside"
    > command to the PIX. Any help would be greatly appreciated. A diagram of
    > the config can be found here:
    > http://img140.imageshack.us/img140/1298/vpnhelp2qw.jpg
    >
    > THANKS for the HELP!
    >


    You'll need a router behind the PIX on the internal network and point
    the routes on the PIX to the router on the inside.

    Chuck
     
    Charles U Farley, Apr 11, 2006
    #2
    1. Advertising

  3. In article <>,
    Evolution <> wrote:
    >I setup a Site to Site VPN between a Pix 515 and Pix 501(Easy Enough).
    >The hard part is getting the internal networks to talk. I network the
    >PCs is on connects to a Proxy Server, which then connects to the PIX
    >515. The PC network is 10.1.0.0/16 and the Proxy Server has an
    >interface on that LAN, and the network directly connected to the PIX
    >515(192.168.100.0/24) as well. The remote LAN that I'm trying to access
    >is 10.4.1.0/24. My ACL for NONAT is setup between 10.1.0.0 and
    >10.4.1.0. I'm not sure if I have to NONAT between 192.168.100.0 and
    >10.4.1.0,


    Yes. The traffic that leaves the ESAFE Proxy is 192.168.100.3
    so that is the IP address that will be trying to access 10.4.1/24 .

    >and then add a route into the Proxy Server, or if I keep it
    >the way I have, and then add some sort of "route inside or outside"
    >command to the PIX.


    You won't need any "route" statement for what you have described.


    However, your diagram indicates that you need full access from 10.1/16
    to 10.4.1/24 . To me, that implies that you want 10.1/16 to go -directly-
    to 10.4.1/24 instead of having all the activity proxied through
    the ESafe Proxy at 192.168.100.3.

    If you want to somehow bypass the ESAFE Proxy when going to 10.4.1/24
    then you will need a LAN router to cross-connect the PIX and
    the PCs without going through ESAFE, or else you will need to configure
    ESAFE to pass those particular packets on unchanged; either way,
    you -would- want a route inside statement on the PIX that pointed 10.1/16
    destination traffic through the router (first case) or ESAFE box (second case).
     
    Walter Roberson, Apr 11, 2006
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Andrew Smith

    problem: connected, but not connected to a wireless network

    Andrew Smith, Aug 20, 2004, in forum: Wireless Networking
    Replies:
    0
    Views:
    937
    Andrew Smith
    Aug 20, 2004
  2. Jeremy McMasters

    bypassing directly connected network

    Jeremy McMasters, Nov 10, 2003, in forum: Cisco
    Replies:
    5
    Views:
    1,505
    Vincent C Jones
    Nov 11, 2003
  3. Patrick M.

    Preview image directly on PC, save directly to HD

    Patrick M., Jan 7, 2004, in forum: Digital Photography
    Replies:
    3
    Views:
    916
  4. perimere
    Replies:
    0
    Views:
    1,122
    perimere
    Mar 27, 2007
  5. Replies:
    9
    Views:
    5,126
    Scott Perry
    Aug 7, 2008
Loading...

Share This Page