Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
LifeisGood
Explorer

VPN client cannot not reach host in a subnet, but can reach the subnet's Layer 3 interface IP

Hello,

We have a CP VPN connected to CP FW. There is a DMZ  (10.10.6.0/24 with 10.10.6.10 as the DMZ interface IP) on the FW. My VPN client got a route from the VPN gateway to route everything to the VPN gateway's external interface (84.84.84.11). See attached topology for details. 

My VPN client can reach the DMZ interface IP on the FW (10.10.6.10). However, the client cannot reach any IPs (e.g. 10.10.6.38) in the DMZ subnet. If I add a host route on the VPN appliance (10.10.6.38/32 --> 10.10.6.10), then the VPN client can reach the host. Could someone help me understand why I have to add host route and how to avoid add 200+ host route for the DMZ hosts?

0 Kudos
4 Replies
PhoneBoy
Admin
Admin

Did you configure the Remote Access Encryption Domain to include the relevant DMZ networks?

0 Kudos
LifeisGood
Explorer

Yes.

0 Kudos
Duane_Toler
Advisor

Is the VPN gateway 1 hop behind the firewall gateway?  Or is it parallel, with the VPN gateway's external interface sharing the same subnet as the firewall gateway?  Your network addressing makes it look parallel.  Your diagram also suggests the VPN gateway's internal interface has to pass traffic back through the firewall gateway on another interface (which is fine).

In addition to the message from PhoneBoy (check his suggestion first), this also sounds like you are missing a return route on the firewall gateway for the office mode subnet (172.10.0/22).  I suspect your firewall gateway, or perhaps the VPN gateway, is performing NAT and you aren't expecting it.  The firewall gateway will see source IP packets of 172.10.0.0/22, so they need to be returned to the VPN gateway.  You can see this with fw monitor.  You can run this command on both gateways, which will give you a hint:

fw monitor -F 172.20.1.2,0,0,0,0 -F 0,0,172.20.1.2,0,0

You can also check your logs and you will see if NAT is being applied.

Similarly, make sure your interior network (10.10.6.0/24) has either a default route, or some type of route, to also send packets for 172.20.0.0/22 back to the firewall gateway.

0 Kudos
LifeisGood
Explorer

Per CP Support, FW and VPN appliances share interfaces, and all the addresses in those shared subnets on the FW side are considered in the same layer 2 network. That's why the class C route I put in place does not do anything and more specific host routes are working fine. The workaround is to break class C into specific /25 routes. This work around worked. Thank you all for your input. 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events