[TriLUG] OT: Need some more networking tips, PIX-501

Shane O'Donnell shaneodonnell at gmail.com
Mon Sep 12 10:41:12 EDT 2005 

This _can_ work.  Have you tried it without firewalls/VPN involved
(e.g., static routes)?

Also, your VPN has to be tied to publicly routable addresses, not your
192.168. or 10. addresses - I'm assuming you've got that taken care
of...

Shane O.

On 9/12/05, Brian Henning <brian at strutmasters.com> wrote:
> Hi List,
>    I'm here again exercising my ignorance in networking.  I have
> something going on that I don't understand and can't seem to figure out
> on my own, in trying to configure routing across a VPN.
> 
> I'm using a Cisco PIX-501 as the endpoint of the VPN.
> 
> Here's the situation I'm /trying/ to create, which doesn't want to work:
> 
> Here        {{ internet }}     There
> 192.168.1.0/24 -> vpn ->    192.168.100.0/24
> 
> I already have an established VPN to another location which uses
> 10.x.x.x for internal addresses, and it works fine.  Here's the real
> important bits from the PIX config, which appears to highlight the
> sticking point.
> 
> nat (inside) 0 access-list vpnnat
> 
> access-list vpnnat line 1 permit ip 192.168.1.0 255.255.255.0 10.12.14.0
> 255.255.255.0 (hitcnt=29381)
> access-list vpnnat line 2 permit ip 192.168.1.0 255.255.255.0
> 192.168.100.0 255.255.255.0 (hitcnt=0)
> 
> I've tried a number of varying access-list configurations and uncovered
> a pattern that I can predict but do not understand.  When a host on my
> network tries to send packets (ping packets in this case) to an address
> that matches acl vpnnat line 1 (i.e. ping 10.12.14.x), the hitcnt for
> that line goes up, as expected.  However, when I try to send packets to
> an address that matches line 2 (i.e. ping 192.168.100.x), the hitcnt for
> line 2 does not go up.  This is the behavior I'd really like to understand.
> 
> Is it because, in the case of line 2, they're both on the same class-B
> unroutable network, *even though the mask is a class-C mask*?  Am I
> locked into using a 10.x.x.x address space on the far end of my second VPN?
> 
> Anyway, thanks in advance for the insight.
> 
> Cheers,
> ~Brian
> --
> TriLUG mailing list        : http://www.trilug.org/mailman/listinfo/trilug
> TriLUG Organizational FAQ  : http://trilug.org/faq/
> TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
> TriLUG PGP Keyring         : http://trilug.org/~chrish/trilug.asc
> 


-- 
Shane O.
========
Shane O'Donnell
shaneodonnell at gmail.com
====================

More information about the TriLUG mailing list