Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations TouchToneTommy on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

PIX515e Static Route over a VPN 2

Status
Not open for further replies.
LedZepRock

LedZepRock

MIS
Feb 20, 2002
265
GB
Hi, ok I will try to explain..

We have two subnets connected via a VPN

192.168.101.0/24
&
192.168.3.0/24

We also have a Cisco router 192.168.3.5, and that connects to a FTP server (lets call the IP 62.62.62.62) over a ISDN dialup (you can connect to the FTP server from any machine on 192.168.3.0/24 no problem)

But I want to connect to ftp 62.62.62.62 from 192.168.101.250, who do I set up that route on the PIX???

I thought

route outside 62.62.62.62 255.255.255.255 192.168.3.5

As the PIX can already see the 192.168.3.0 subnet, but that no worky, I have put a route on the Cisco of

ip route 192.168.101.0 255.255.255.0 192.168.3.1

Any help would be great.

Simon
 
Sort by date Sort by votes
A couple of things need to be done:

1) Make sure you have the 62.62.62.62 defined as part of your crypto map on both PIXs

2) On the 3.0 firewall, add the route for 62.62.62.62, pointing to 192.168.3.5

I also don't think you need the route statement of 192.168.101.0. With no route defined for the .101 net, traffic should default to the firewall, where it will match the crypto map and be sent to the other device.
 
Upvote 0 Downvote
1) If 192.168.3.5 is on the inside network, the route statement would be "route inside" as in: route inside 62.62.62.62 255.255.255.255 192.168.3.5

2) Did you include the subnet/host address of the ftp server in your vpn configuration/nat 0 statements?


 
Upvote 0 Downvote
Thanks for the response guys..

This was a PIX (our end) to a Checkpoint (the other end, a managed firewall at a hosting centre). I did not add the 62.62.62.62 to the crypto map, so that would explain why the traffic failed to go down the tunnel, so thats cool.
That Cisco route of
ip route 192.168.101.0 255.255.255.0 192.168.3.1
This ISDN router default was down the ISDN, so this was just to make sure it knew how to get to the 192.168.101.0/24 network.

The 192.168.3.5 is at the end of the VPN, so it was not on the inside NIC.
The whole of the 192.168.3.5 is nat 0, so that was OK.

Anyway good news is that we just added a reverse NAT, on the
192.168.3.1 firewall, so now I just ftp 192.168.3.2 and that get translates to 63.63.63.63, seems to work, but until I get the owners of the FTP server to allow access from a network other than 192.168.3.0/24 I can be sure, but when I ftp 192.168.3.2 from the 192.168.101.0/24 network, the ISDN does dial, so alls look good.

Thanks for you help.

Simon
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Miluis
  • Locked
  • Question
How necessary is an antivirus?
Replies
3
Views
504
Rick998
Rick998
Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
1K
Sameer258
Sameer258
ISDPCMAN
  • Locked
  • Question
RDP fails over VPN
Replies
1
Views
457
gkittelson
gkittelson
intel233
  • Locked
  • Question
Cisco ASA 5510 -Static NAT Help
Replies
8
Views
1K
intel233
intel233
intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
1K
intel233
intel233

Part and Inventory Search

Sponsor

Back
Top