I have visio’d this as it is a bit difficult to type
The Mobile device has a Vodafone 3G address of 10.57.x.x/8 etc on a Class A
You run a VPN connection to the client Firebox at 62.yyy.yyy.yyy, and get connected with an internal Class B address of 10.148.129.x/16
They have a Core switch with 2 LANs on 10.148.x.x/16 and 100.148.x.x/16
Everyone LAN or remote PC based on 10.148.x.x can access 100.148.x.x and visa versa
If you ping or tracert their 100.148.x.x range from a windows mobile client you hop across their 10.148.0.0 LAN seemingly bypassing the Vodafone 10.0.0.0/8 over the core switch on 10.148.0.253 to the 100.148.0.0 LAN and get a reply, but I suspect because Vodafone wouldn’t know 100.148.0.0
If you ping or tracert their 10.148.x.x range you get no reply, despite the fact that you are on it (seemingly)
We think it is a NAT/Routing issue as Vodafone is on 10.0.0.0/8, which encompasses the clients 10.148.0.0 range, as you’d expect but NOT want, when you try the ping to the 100.148.0.0 it hops via the very switch you would ‘expect’ but when you try the ping to 10.148.0.0 it drops to vodafone
why does the vodafone IPs on 10.252.x.x/8 take preference for a 10.148.0.0/16 ping but 100.148.0.0/16 seems to go via the VPN Gateway
I suspect that as the 100.148.0.0 range is unknown to the Vodafone system the mobile device forwards it to its PPTP Default Gateway (the Firebox) whereas the Vodafone system picks up 10.148.0.0 requests on its default gateway and drops them.
Can anyone think of a way around this? We don’t know how or if you can add static routes to a Windows Mobile device.
I saw years ago a Masquerade NAT/ACL on a cisco switch, whereas a 192.168.50.x range was translated from requests to 172.10.x.x, for example, there were two 192.168.50.x LANs on the same Leased Line WAN network, but one masqueraded as 172.10.x.x ‘in front’ of the router, if some knows if a firebox can do this, we could do, say, 20.148.0.0 translated to 10.148.0.0 for the Mobile users only?
but a 1:1 or dynamic NAT doesn't do it for VPN users on the firebox trusted interface, but does translate for LAN based machines
Or does anyone know if we can add a route to the mobile?
say ROUTE ADD 10.148.0.0 mask 255.255.0.0 10.148.0.253
A Laptop using the mobile as a Modem doesn’t have this issue, despite being on the same Vodafone range, a windows laptop, using the same 3G mobile as a modem with 10.57.x.x on Vodafone, can route across to the clients 10.148.0.0 range ok
any hints or suggestions would be really cool (hopefully the link should be ok)
cheers
Gurner
The Mobile device has a Vodafone 3G address of 10.57.x.x/8 etc on a Class A
You run a VPN connection to the client Firebox at 62.yyy.yyy.yyy, and get connected with an internal Class B address of 10.148.129.x/16
They have a Core switch with 2 LANs on 10.148.x.x/16 and 100.148.x.x/16
Everyone LAN or remote PC based on 10.148.x.x can access 100.148.x.x and visa versa
If you ping or tracert their 100.148.x.x range from a windows mobile client you hop across their 10.148.0.0 LAN seemingly bypassing the Vodafone 10.0.0.0/8 over the core switch on 10.148.0.253 to the 100.148.0.0 LAN and get a reply, but I suspect because Vodafone wouldn’t know 100.148.0.0
If you ping or tracert their 10.148.x.x range you get no reply, despite the fact that you are on it (seemingly)
We think it is a NAT/Routing issue as Vodafone is on 10.0.0.0/8, which encompasses the clients 10.148.0.0 range, as you’d expect but NOT want, when you try the ping to the 100.148.0.0 it hops via the very switch you would ‘expect’ but when you try the ping to 10.148.0.0 it drops to vodafone
why does the vodafone IPs on 10.252.x.x/8 take preference for a 10.148.0.0/16 ping but 100.148.0.0/16 seems to go via the VPN Gateway
I suspect that as the 100.148.0.0 range is unknown to the Vodafone system the mobile device forwards it to its PPTP Default Gateway (the Firebox) whereas the Vodafone system picks up 10.148.0.0 requests on its default gateway and drops them.
Can anyone think of a way around this? We don’t know how or if you can add static routes to a Windows Mobile device.
I saw years ago a Masquerade NAT/ACL on a cisco switch, whereas a 192.168.50.x range was translated from requests to 172.10.x.x, for example, there were two 192.168.50.x LANs on the same Leased Line WAN network, but one masqueraded as 172.10.x.x ‘in front’ of the router, if some knows if a firebox can do this, we could do, say, 20.148.0.0 translated to 10.148.0.0 for the Mobile users only?
but a 1:1 or dynamic NAT doesn't do it for VPN users on the firebox trusted interface, but does translate for LAN based machines
Or does anyone know if we can add a route to the mobile?
say ROUTE ADD 10.148.0.0 mask 255.255.0.0 10.148.0.253
A Laptop using the mobile as a Modem doesn’t have this issue, despite being on the same Vodafone range, a windows laptop, using the same 3G mobile as a modem with 10.57.x.x on Vodafone, can route across to the clients 10.148.0.0 range ok
any hints or suggestions would be really cool (hopefully the link should be ok)
cheers
Gurner
