Routing through a tunnel?

[dyonsos]

Hello,

I'm having a problem routing through a tunnel and quite frankly, I'm not sure what I need to lookup or put in to add the route.

I've added the route:

ip route 10.10.10.0 255.255.255.0 192.168.1.7

the 10.10.10.0 subnet is off site at the CEO's house. My main network is 192.168.1.0 and users on the 192.168.1.0 side can ping a server on the 10.10.10.0 network just fine.

I have a gateway router with anotehr subnet 10.1.0.0 and users on the 10.1.0.0 network also cannot ping the 10.10.10.0 network.

We have a static tunnel on the firewall at 192.168.1.6

Bascially I have my one router forward all traffic for the 10.10.10.0 network to the gateway route (above 192.168.1.7) and then I have all traffic going to 192.168.1.6 for the 10.10.10.0 network. Originally I setup the traffic fromt eh 10.2.0.0 network to go directly to the firewall at 192.168.1.6

I noticed that there is a command in the "ip route" area that goes further at:

ip route vrf word

but I can't figure this out.

Any help?

Thanks,

MAtt

 

[dyonsos]

No one has any idea?

As simple as I can put it:

What's the command to allow me to map a route to a network that is connected via a tunnel at 192.168.1.6 for the 10.10.10.0 network.

Thanks,

Matt

 

[routerman]

Matt,

It would be the CEO thats having problems


The router with subnet 10.1.0.0 is off your main LAN, right?

There are several steps needed here.

First, static routes so that the 10.1.0.0 router can route to 10.10.10.0 via the firewall, and 10.10.10.0 knows how to route back to that subnet. The return path could be a default on the CEO router to the firewall, then the firewall has a router to 10.1.0.0.

You will need a tunnel creating for traffic from 10.1.0.0 to 10.10.10.0, starting on the firewall, with a reverse tunnel from the CEO router.

Are you using NAT on the firewall, if so you will need to take the tunnel sub-nets out of the NAT process.

 

[dyonsos]

Thanks for the reply. Let me try this againa nd lay this out.

CEO's Network:

10.10.10.0
Server I'm trying to reach is 10.10.10.9
No routers here



Company Network:

Firewall is 192.168.1.6 --> Open tunnel to the CEO's network.

1st Router: 192.168.1.7 -- 10.1.1.1
This is the 10.1.0.0 network
I have all my machiens within the company pointing here as the gate versus the firewall.

Routes setup on the 1st router:
Network --> Destination
0.0.0.0 --> 192.168.1.6
10.10.10.0 --> 192.168.1.6
10.2.0.0 --> 192.168.1.3


2nd Router: 192.168.1.3 -- 10.2.0.1
This is the 10.2.0.0 network

Routes setup on my second router
Network --> Destination
0.0.0.0 --> 192.168.1.7
10.1.0.0 --> 192.168.1.7
10.10.10.0 --> 192.168.1.7



Pings and Trace Routes:

When I'm on the 192.168.1.0 side I ping 10.10.10.9 it resolves just fine.

When I'm on the 10.1.0.0 or 10.2.0.0 networks and I ping 10.10.10.9 it fails.

When I traceroute on the 10.2.0.0 network it shows it going to:

192.168.1.3 --> 192.168.1.7 --- * * * * (just ends off here)

On the 10.1.0.0 network it just goes to 192.168.1.7 basically and stops.


I looked through my one cisco book and found that there is some command that's needed for Tunnels?


Now, if what you're saying is that an entry needs to be entered on the CEO's firewall to tell it where to route the 10.2.0.0 packets, that would actually make sense. I can ask for that to be setup.

 

[routerman]

Ok, there may be more than 1 problem here.

1st, from either 10.1.0.0 or 10.2.0.0 you should be able to ping a device on the 192.168.1.0 network, Im sure that works fine.

Router 2's routes to 0.0.0.0 and 10.10.10.0 would be better pointing to 192.168.1.6, but it will work the way you have setup. In addition in both routers the route to 0.0.0.0 will also cover that to 10.10.10.0, but this wont stop it working, its just cleaner.

The firewall needs routes to 10.1.0.0 and 10.2.0.0, pointing to 192.168.1.7 and .3 respectively. Without this the firewall wont know how to get back to those networks.

As for tunnels, usually there is a tunnel set up for each subnet to subnet path. You probably have a tunnel set up for 192.168.1.0 to 10.10.10.0, do you have tunnels for 10.1.0.0 to 10.10.10.0 and 10.2.0.0 to 10.10.10.0??

These will need configuring at both firewalls.

The command you refer to may be something like
ip route 10.2.3.0 255.255.255.0 t0
if so this used for GRE tunnels, I'm assuming (dangerous! )that you are using IPSec.

The IP route vrf is used to set up multiple routing instances in one box, used with MPLS. Not appropriate here

 

[dyonsos]

Hello!

Sorry on this one, this IS present:

The firewall needs routes to 10.1.0.0 and 10.2.0.0, pointing to 192.168.1.7 and .3 respectively. Without this the firewall wont know how to get back to those networks.


I think I may have figured where the problem lies, it's on the other end, heh go figure. I forgot to have routes on that end pointing to my network Doh! I knew it may be something stupid.

 

[routerman]

Well at least you got there, its not always that easy to see whats missing.

Fix it and get the CEO to give you a pay rise