Routing between VPN networks
Hi,
At work we have two private networks in different cities. The first network is 10.10.0.0/16 (A) and the other is 10.20.0.0/16 (B). They are connected with VPN using two cisco PIX. The VPN works as expected. Computers at network A can access those at network B and vice versa.
The PIX located at network A has other VPN connections to several clients (the same PIX is used for VPN between networks A and B) with similar addressing scheme 10.x.0.0/16.
The question is how can these VPN networks be accessed directly from network B?
The same problem arises when someone wants to connect to the network A from the outside using the cisco vpn client. How can this user access directly the network B (and the other client VPN networks) without first connecting (through ssh) to a server on network A?
Networks A and B are consisted of mainly linux and other unix servers with some windows PCs.
Regards,
Vlatko Postolov
Software/Hardware used:
Software/Hardware used:
ASKED:
October 20, 2008 8:55 PM
UPDATED:
July 15, 2011 8:59 AM
Answer Wiki:
Access to other Sites
Your default route is probably the reason you can't access other sites in site B. Check that your gateway switch or router has IP routes to the networks off of Site A. A very unrestricted (kind of frowned on..) route would be "IP ROUTE 10.0.0.0 255.0.0.0 (site b pix IP)"
Outside Access to Site B
It sounds like your access lists are restricting access to the VPN by address. Meaning only clients with an IP address in 10.10.0.0/16 will be able to access site B. If your client VPN assigns a DHCP address to the clients, make sure that address range is included in the access list.
Sorry, we need more help on this!
To see all answers submitted to the Answer Wiki: View Answer History.
Hi,
I have very similar setup and same problem. This has nothing to do with default routes, as at both locations they always shall point to external world in order to route hosts traffic to an internet. “IP ROUTE (remote_lan mask remote_site_Firewall_IP)” is essential for communication between site_A and site_B hosts.
In our setup all of this works just fine, but you do not have access to hosts_B if you VPN to Firewal_A (SAS-5520 in our case). By default setup CISCO does not rout VPN traffic to any remote networks. The VPN connection is limited only to a network physically connected to a Firewall and also gives you Internet access (over tunnel). I can understand why it is the case, when you have site-to-site VPN tunnel between Site_A and Site_B. CISCO could claim if user want connect to hosts at the other site – establish new VPN connection to that site. Inconvenient I could say, but doable. But in our setup we have remote (from the site with ASA appliance) network connected over point-to-point dedicated corporate channel.
I have played with all possible combination of routs and access lists and could not figure it. I will very appreciate any ideas or advices.
Bets regards,
Dmitry.
We have the same problem …
You can solve it?