This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

net to net - routing problem/question

Hello everybody,

I have created a VPN net to net tunnel over x.509 certificates. The tunnel is establishing without any problems. In my opinion everything should work.

But the problem is that i am not able to ping one webserver which is standing in the dmz of asl1. All ping settings (packet filter) are turned on, on both firewalls.

And between the astaro firewalls stands a third fw on which the ports 500 and 4500 are opened. Is this enough or shoud the protocol esp should be open too?

asl1 ---- fw ---- asg2

already thanks, for helpful answers

This thread was automatically locked due to age.

Parents

0 quasar3c279 over 19 years ago

hi,

i assume that you've created the tunnel with the local lan's as the local and remote subnet!? you have to define a tunnel from your lan to the dmz if you want to access it trough the tunnel. otherwise the routing will not work. so if you want to access lan and dmz you have to create two tunnels, one with the lan as the remote subnet and the other one with dmz as remote subnet!

hope this helps!

regards, mario
Cancel
Vote Up 0 Vote Down

Cancel
0 toette over 19 years ago in reply to quasar3c279

everything is configured as you described. another idea?
Cancel
Vote Up 0 Vote Down

Cancel
0 quasar3c279 over 19 years ago in reply to toette

are you pinging from the firewall or an internal client?
Cancel
Vote Up 0 Vote Down

Cancel
0 toette over 19 years ago in reply to quasar3c279

i ping from the firewall network / ping check. should this work over a vpn tunnel?
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 toette over 19 years ago in reply to quasar3c279

i ping from the firewall network / ping check. should this work over a vpn tunnel?
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 pablito over 19 years ago in reply to toette

i ping from the firewall network / ping check. should this work over a vpn tunnel?

normally no. The endpoints of a VPN are not part of the VPN.

If you really want ASL to be part of the VPN (forwarding email for example) you can create an SNAT rule. Packets leaving ASL for the far end VPN come from the public side IP and that is why they don't work. SNAT them to the inside IP and that will work. But only do this if you have a real need (pinging isn't a good reason....)
Cancel
Vote Up 0 Vote Down

Cancel
0 quasar3c279 over 19 years ago in reply to pablito

hi,

pablito gave you the solution.

if you want to ping from the firewall you can go to the shell and do:
ping -I INTERNAL_IF_IP TARGET

this works over the tunnel.

regards, mario
Cancel
Vote Up 0 Vote Down

Cancel
0 toette over 19 years ago in reply to quasar3c279

the problem was solved by opening the esp protocol, now i am able to ping over the tunnel.

thanks for answers
toette
Cancel
Vote Up 0 Vote Down

Cancel