This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

LAN -> ASTARO -> VPN -> ASTARO -> LAN -> DMZ ?????

Hello,

I did setup a VPN my home office and my company by using two Astaros. In the company the Mailserver is based in the DMZ. I have access from my private LAN (192.168.178.0) to the companies Private LAN (10.1.1.0). The company Mailserver is based in the DMZ (192.168.2.0) but I can't access the Mailserver (192.168.2.2) in the DMZ by using the VPN (from the company LAN i have access).

I don't know how I have to setup the routing on both Astaros to get this work.

I hope someone can help me....

This thread was automatically locked due to age.

Parents

0 Daniel_Svensson over 20 years ago

Hi,
I think that the tunnel is just permitting you to access your lan with the vpnsetup you have done. Change your vpn setup to allow more networks. Under IPSec connection -> Subnet Definition (optional) -> Local subnet, change to any network (or maybe its possible to create a network group that includes the dmz and the lan). This is done on the company astaro. You have to change the remote subnet on your home astaro to include the networks you created on the company astaro. This will also allow dmz traffic to go trough the tunnel. This should be working, hopefully... [:)]

Found another document that was interesting, check this out:
http://portal.knowledgebase.net/display/2n/articleDirect/index.asp?aid=119116&r=0.799267

Worked for me
Cancel
Vote Up 0 Vote Down

Cancel
0 PaulKerl over 20 years ago in reply to Daniel_Svensson

Hello,

thank you very much for the answers. I will try as described.

Thanks a lot...

HuGO
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 PaulKerl over 20 years ago in reply to Daniel_Svensson

Hello,

thank you very much for the answers. I will try as described.

Thanks a lot...

HuGO
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 PaulKerl over 20 years ago in reply to PaulKerl

Hello again,

I did try both possibilities. In remote subnet i can only set the 10.1.1.0 Net. If i define a Network-Group, this group will not be shown in the drop down menu to select in the IPSEC-Connection setting.

I did set both Astaros to ANY allow. so it cant be a problem with the package filters I think.

The touting table looks like this:

192.168.1.0/24 -> 10.1.1.0/24
This routing does work perfect.

If I setup a static rout with (at home)

Network=192.168.2.0 --> Target=10.1.1.5 (Company Firewall)

and try to do a tracroute from 192.168.1.0 the packages will be send out using the std. gateway to the internet. So teh packages for target network 192.168.2.0 are not routet to the VPN.

I don't know whats wrong.

Thanks..

HuGO
Cancel
Vote Up 0 Vote Down

Cancel
0 toofreaky over 20 years ago in reply to PaulKerl

Meanwhile I talked with the support ..
It's not possible with routing and it's not possible
to work with network groups at the IPSec-connection definition.

So, you have to establish an IPSec-tunnel for each network, like:
VPN_LAN  ->  home-net
VPN_DMZ1 ->  home-net
VPN_DMZ2 ->  home-net

Hope this helps
Tom
Cancel
Vote Up 0 Vote Down

Cancel
0 ClausP over 19 years ago in reply to PaulKerl

[ QUOTE ]

The touting table looks like this:

192.168.1.0/24 -> 10.1.1.0/24
This routing does work perfect.

If I setup a static rout with (at home)

Network=192.168.2.0 --> Target=10.1.1.5 (Company Firewall)

and try to do a tracroute from 192.168.1.0 the packages will be send out using the std. gateway to the internet. So teh packages for target network 192.168.2.0 are not routet to the VPN.

I don't know whats wrong.

Thanks..

HuGO

[/ QUOTE ]

plz check your vpn setup ('remote network'=10.1.1.0/24). Only traffic to that network would be routed over the ipsec tunnel.

You need an additional ipsec connection for the remote network (192.168.2.0/24) or change your ip design and use CIDR.

regards
Claus
Cancel
Vote Up 0 Vote Down

Cancel