[TriLUG] OT: Need some more networking tips, PIX-501
Shane O'Donnell
shaneodonnell at gmail.com
Mon Sep 12 10:41:12 EDT 2005
This _can_ work. Have you tried it without firewalls/VPN involved
(e.g., static routes)?
Also, your VPN has to be tied to publicly routable addresses, not your
192.168. or 10. addresses - I'm assuming you've got that taken care
of...
Shane O.
On 9/12/05, Brian Henning <brian at strutmasters.com> wrote:
> Hi List,
> I'm here again exercising my ignorance in networking. I have
> something going on that I don't understand and can't seem to figure out
> on my own, in trying to configure routing across a VPN.
>
> I'm using a Cisco PIX-501 as the endpoint of the VPN.
>
> Here's the situation I'm /trying/ to create, which doesn't want to work:
>
> Here {{ internet }} There
> 192.168.1.0/24 -> vpn -> 192.168.100.0/24
>
> I already have an established VPN to another location which uses
> 10.x.x.x for internal addresses, and it works fine. Here's the real
> important bits from the PIX config, which appears to highlight the
> sticking point.
>
> nat (inside) 0 access-list vpnnat
>
> access-list vpnnat line 1 permit ip 192.168.1.0 255.255.255.0 10.12.14.0
> 255.255.255.0 (hitcnt=29381)
> access-list vpnnat line 2 permit ip 192.168.1.0 255.255.255.0
> 192.168.100.0 255.255.255.0 (hitcnt=0)
>
> I've tried a number of varying access-list configurations and uncovered
> a pattern that I can predict but do not understand. When a host on my
> network tries to send packets (ping packets in this case) to an address
> that matches acl vpnnat line 1 (i.e. ping 10.12.14.x), the hitcnt for
> that line goes up, as expected. However, when I try to send packets to
> an address that matches line 2 (i.e. ping 192.168.100.x), the hitcnt for
> line 2 does not go up. This is the behavior I'd really like to understand.
>
> Is it because, in the case of line 2, they're both on the same class-B
> unroutable network, *even though the mask is a class-C mask*? Am I
> locked into using a 10.x.x.x address space on the far end of my second VPN?
>
> Anyway, thanks in advance for the insight.
>
> Cheers,
> ~Brian
> --
> TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
> TriLUG Organizational FAQ : http://trilug.org/faq/
> TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
> TriLUG PGP Keyring : http://trilug.org/~chrish/trilug.asc
>
--
Shane O.
========
Shane O'Donnell
shaneodonnell at gmail.com
====================
More information about the TriLUG
mailing list