[TriLUG] OT: Need some more networking tips, PIX-501
Brian Henning
brian at strutmasters.com
Mon Sep 12 10:22:49 EDT 2005
Hi List,
I'm here again exercising my ignorance in networking. I have
something going on that I don't understand and can't seem to figure out
on my own, in trying to configure routing across a VPN.
I'm using a Cisco PIX-501 as the endpoint of the VPN.
Here's the situation I'm /trying/ to create, which doesn't want to work:
Here {{ internet }} There
192.168.1.0/24 -> vpn -> 192.168.100.0/24
I already have an established VPN to another location which uses
10.x.x.x for internal addresses, and it works fine. Here's the real
important bits from the PIX config, which appears to highlight the
sticking point.
nat (inside) 0 access-list vpnnat
access-list vpnnat line 1 permit ip 192.168.1.0 255.255.255.0 10.12.14.0
255.255.255.0 (hitcnt=29381)
access-list vpnnat line 2 permit ip 192.168.1.0 255.255.255.0
192.168.100.0 255.255.255.0 (hitcnt=0)
I've tried a number of varying access-list configurations and uncovered
a pattern that I can predict but do not understand. When a host on my
network tries to send packets (ping packets in this case) to an address
that matches acl vpnnat line 1 (i.e. ping 10.12.14.x), the hitcnt for
that line goes up, as expected. However, when I try to send packets to
an address that matches line 2 (i.e. ping 192.168.100.x), the hitcnt for
line 2 does not go up. This is the behavior I'd really like to understand.
Is it because, in the case of line 2, they're both on the same class-B
unroutable network, *even though the mask is a class-C mask*? Am I
locked into using a 10.x.x.x address space on the far end of my second VPN?
Anyway, thanks in advance for the insight.
Cheers,
~Brian
More information about the TriLUG
mailing list