Need Site to Site VPN Help. How to route to a network not directly connected through VPN

Discussion in 'Cisco' started by Evolution, Apr 11, 2006.

  1. Evolution

    Evolution Guest

    I don't think this should be too hard, but I have a general question. I
    setup a Site to Site VPN between a Pix 515 and Pix 501(Easy Enough).
    The hard part is getting the internal networks to talk. I network the
    PCs is on connects to a Proxy Server, which then connects to the PIX
    515. The PC network is 10.1.0.0/16 and the Proxy Server has an
    interface on that LAN, and the network directly connected to the PIX
    515(192.168.100.0/24) as well. The remote LAN that I'm trying to access
    is 10.4.1.0/24. My ACL for NONAT is setup between 10.1.0.0 and
    10.4.1.0. I'm not sure if I have to NONAT between 192.168.100.0 and
    10.4.1.0, and then add a route into the Proxy Server, or if I keep it
    the way I have, and then add some sort of "route inside or outside"
    command to the PIX. Any help would be greatly appreciated. A diagram of
    the config can be found here:
    http://img140.imageshack.us/img140/1298/vpnhelp2qw.jpg

    THANKS for the HELP!
     
    Evolution, Apr 11, 2006
    #1
    1. Advertisements

  2. You'll need a router behind the PIX on the internal network and point
    the routes on the PIX to the router on the inside.

    Chuck
     
    Charles U Farley, Apr 11, 2006
    #2
    1. Advertisements

  3. Yes. The traffic that leaves the ESAFE Proxy is 192.168.100.3
    so that is the IP address that will be trying to access 10.4.1/24 .
    You won't need any "route" statement for what you have described.


    However, your diagram indicates that you need full access from 10.1/16
    to 10.4.1/24 . To me, that implies that you want 10.1/16 to go -directly-
    to 10.4.1/24 instead of having all the activity proxied through
    the ESafe Proxy at 192.168.100.3.

    If you want to somehow bypass the ESAFE Proxy when going to 10.4.1/24
    then you will need a LAN router to cross-connect the PIX and
    the PCs without going through ESAFE, or else you will need to configure
    ESAFE to pass those particular packets on unchanged; either way,
    you -would- want a route inside statement on the PIX that pointed 10.1/16
    destination traffic through the router (first case) or ESAFE box (second case).
     
    Walter Roberson, Apr 11, 2006
    #3
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.