Unable to connect with router

Discussion in 'Cisco' started by psychogenic, May 24, 2006.

  1. psychogenic

    psychogenic Guest

    Hey all,

    I have a vpn tunnel established between my PIX and a remote site. My
    local machines are configured (used the route add command from command
    prompt) to use the PIX as the default gateway if they want to reach the
    remote site. Prior to adding this PIX we had a router between us and
    the internet. If I reintroduce that router between my PCs and the PIX,
    I can no longer connect to the remote site (internet is fine however).
    I'm guessing this probably means I need to add a "route"in my router
    or? How should the command work?

    Thanks.
    psychogenic, May 24, 2006
    #1
    1. Advertising

  2. In article <>,
    psychogenic <> wrote:
    >I have a vpn tunnel established between my PIX and a remote site. My
    >local machines are configured (used the route add command from command
    >prompt) to use the PIX as the default gateway if they want to reach the
    >remote site. Prior to adding this PIX we had a router between us and
    >the internet. If I reintroduce that router between my PCs and the PIX,
    >I can no longer connect to the remote site (internet is fine however).
    >I'm guessing this probably means I need to add a "route"in my router
    >or? How should the command work?


    Do you have your router doing Network Address Translation?
    If you do, then try using PIX 6.3 and configuring
    isakmp nat-traversal 20
    Walter Roberson, May 24, 2006
    #2
    1. Advertising

  3. psychogenic

    sampark Guest

    Hello Psychogenic,

    I think you have this kind of a network setup

    +--------pix=======Tunnel=========Router
    lan |
    +----Router---------Internet
    To go through the tunnel your PC is using 'route add <ip of remote>
    <mask> <PIX add> and the default gateway is router to go to the
    internet

    This setup can be optimized
    + ---PIX========tunnel=========router
    lan-------Router|
    +----------------internet

    For the above topology you need a static route entry in the router to
    point to pix if the user wants to go to the remote router through VPN
    tunnel.
    command will be (router)
    ip route <ip of the remote subnet> <mask> <ip of the PIX>


    or
    lan----------Router-------PIX-----------internet
    +==============Tunnel

    You do not need any configuration settings in PIX. In the router you
    only need the default router pointing to the PIX.

    Let us know if that works
    -Vikas
    sampark, May 24, 2006
    #3
  4. psychogenic

    psychogenic Guest

    sampark wrote:
    > Hello Psychogenic,
    >
    > I think you have this kind of a network setup
    >
    > +--------pix=======Tunnel=========Router
    > lan |
    > +----Router---------Internet
    > To go through the tunnel your PC is using 'route add <ip of remote>
    > <mask> <PIX add> and the default gateway is router to go to the
    > internet
    >
    > This setup can be optimized
    > + ---PIX========tunnel=========router
    > lan-------Router|
    > +----------------internet
    >
    > For the above topology you need a static route entry in the router to
    > point to pix if the user wants to go to the remote router through VPN
    > tunnel.
    > command will be (router)
    > ip route <ip of the remote subnet> <mask> <ip of the PIX>
    >
    >
    > or
    > lan----------Router-------PIX-----------internet
    > +==============Tunnel
    >
    > You do not need any configuration settings in PIX. In the router you
    > only need the default router pointing to the PIX.
    >
    > Let us know if that works
    > -Vikas


    Thanks all for your replies.

    Our setup is currently like this:

    LAN ---- Router ---- PIX ------- Internet
    +================Tunnel

    As you drew in your last example. The tunnel is set to connect the PIX
    public interface to the remote site's router. The default gateway being
    used by hte machines is pointing to the PIX private interface. So on
    the router I just need to add

    ip route <remote site's address or the remote site's router??> <mask>
    <private or puiblic interface of pix?>

    Thanks again.
    psychogenic, May 24, 2006
    #4
  5. psychogenic

    sampark Guest

    Hello,
    What kind of a router is that?
    Why do you have PIX inside interface as your dgw?
    Why cant the router interface be dgw?
    Is that a cisco router?

    I would have configured it in this way:

    lan---------fe0_Router_fe1---------in_PIX_out---dsl-----internet

    fe0 = 192.168.1.1/24
    lan=192.168.1.0/24
    fe1=192.168.200.1/24
    PIX_in=192.168.200.2/24
    PIX_out=what ever dsl provides (dhcp in most of the cases).

    PC will have router fe0 as the dgw (192.168.1.1)
    router will have dgw as PIX.
    ip route 0.0.0.0 0.0.0.0 192.168.200.2
    PIX will have route
    route outside 0.0.0.0 0.0.0.0 interface outside (please check the
    command syntax)
    PIX will have other natting commands as well
    global (outside) 1 interface
    nat (inside) 1 0

    This way you will be securing the complete lan with the fw. (I hope you
    own the fw)

    I hope I am answering your question.

    -Vikas
    sampark, May 24, 2006
    #5
  6. psychogenic

    psychogenic Guest

    sampark wrote:
    > Hello,
    > What kind of a router is that?
    > Why do you have PIX inside interface as your dgw?
    > Why cant the router interface be dgw?
    > Is that a cisco router?
    >
    > I would have configured it in this way:
    >
    > lan---------fe0_Router_fe1---------in_PIX_out---dsl-----internet
    >
    > fe0 = 192.168.1.1/24
    > lan=192.168.1.0/24
    > fe1=192.168.200.1/24
    > PIX_in=192.168.200.2/24
    > PIX_out=what ever dsl provides (dhcp in most of the cases).
    >
    > PC will have router fe0 as the dgw (192.168.1.1)
    > router will have dgw as PIX.
    > ip route 0.0.0.0 0.0.0.0 192.168.200.2
    > PIX will have route
    > route outside 0.0.0.0 0.0.0.0 interface outside (please check the
    > command syntax)
    > PIX will have other natting commands as well
    > global (outside) 1 interface
    > nat (inside) 1 0
    >
    > This way you will be securing the complete lan with the fw. (I hope you
    > own the fw)
    >
    > I hope I am answering your question.
    >
    > -Vikas



    The router is a Yamaha router. There is no nat running since I'm using
    Cisco EasyVPN. I'll change the dgw of the machines to use the router
    instead.I'm not sure about this command:

    route outside 0.0.0.0 0.0.0.0 interface outside

    when i do route outside 0.0.0.0 0.0.0.0 ?

    It asks me: The address of the gateway by which the foreign network
    is reached.

    So I add in the public interface?

    Thanks.
    psychogenic, May 24, 2006
    #6
  7. psychogenic

    Vikas Guest

    Hello,

    This is the default route which will be there in the PIX.
    Vikas, May 25, 2006
    #7
  8. psychogenic

    psychogenic Guest

    Vikas wrote:
    > Hello,
    >
    > This is the default route which will be there in the PIX.


    Thanks, I can finally connect to the remote site when the router is put
    back in. However, now there's a new problem where I can't get to the
    internet now. If I bring down the vpn tunnel then internet seems to
    work fine. Can they not co-exist on the same interface?
    psychogenic, May 25, 2006
    #8
  9. psychogenic

    Vikas Guest

    You are using Easy VPN (which is not that easy btw). Internet and easy
    VPN can coexist only if the configuration allows it to coexist.
    The nat/path needs to be enabled by the server side by split tunnel or
    that can be converted to Network Mode.
    Nothing is in your PIX which can be changed.

    You can disble the easy vpn client when you are accessing the internet.


    Vikas
    Vikas, May 26, 2006
    #9
  10. psychogenic

    psychogenic Guest

    Vikas wrote:
    > You are using Easy VPN (which is not that easy btw). Internet and easy
    > VPN can coexist only if the configuration allows it to coexist.
    > The nat/path needs to be enabled by the server side by split tunnel or
    > that can be converted to Network Mode.
    > Nothing is in your PIX which can be changed.
    >
    > You can disble the easy vpn client when you are accessing the internet.
    >
    >
    > Vikas



    I am using network extension mode for easyvpn and preferably its
    something I do not want disabled.
    psychogenic, Jun 2, 2006
    #10
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. =?Utf-8?B?SGFyb2xk?=

    Unable to connect to my wireless router

    =?Utf-8?B?SGFyb2xk?=, Jan 29, 2005, in forum: Wireless Networking
    Replies:
    7
    Views:
    19,988
    =?Utf-8?B?SGFyb2xk?=
    Feb 1, 2005
  2. =?Utf-8?B?SmFzZXlCb3k=?=

    Unable to renew IP address/unable to connect to wireless network

    =?Utf-8?B?SmFzZXlCb3k=?=, Dec 21, 2005, in forum: Wireless Networking
    Replies:
    1
    Views:
    11,807
    Jack \(MVP-Networking\).
    Dec 22, 2005
  3. mmcnichol
    Replies:
    2
    Views:
    1,733
    mmcnichol
    Oct 20, 2006
  4. rich irving
    Replies:
    5
    Views:
    5,157
    rich irving
    Jan 11, 2006
  5. groovey
    Replies:
    3
    Views:
    524
    Charlie Russel - MVP
    Nov 28, 2007
Loading...

Share This Page