Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[Terrance]

Hello, I'm having a headache with traffic redirection. I explain my situation:

OFFICE A:
lan subnet 172.16.126.x
wan subnet 192.168.0.x
dmz subnet 172.16.127.x

OFFICE B:
lan subnet 172.16.129.X

Both offices are connected through a Cisco VPN configured by our ISP. Office A cisco's gateway is 172.16.127.1 (for example) and Office B cisco's gateway 172.16.128.1.

The cisco in office A acts as a router which I have connected through DMZ to grant access.

I need to redirect all http and ftp traffic through WAN and, here's the issue, redirect all 172.16.129.X traffic through DMZ, so I can access the net from A to B. Only a DFL is present on office A.

Any ideas will be very appreciated.

If you need more details about the configuration fell free to ask.

Thanks in advance.

[Terrance]

UPDATE:

In Office B, the server which acts as gateway for all net has 2 net cards: CARD1 with subnet 172.16.129.X (local lan) and other CARD2 which connects to Cisco at 172.16.128.X.

I've configured DFL which is located in Office A and I can ping to CARD2 in the server. I can mstsc too using that adress but I can't ping at anything located in 172.16.129.X. Logging says

Warning RULE 6000051 Default_Rule ICMP lan from my local IP to the destination IP in subnet 172.16.129.X ruleset_drop_packet.
ipdatalen=40 icmptype=)ECHO_REQUEST echoseq=9075

Over that error it throws other:

Warning RULE 6000051 Default_Rule UDP dmz 172.16.126.60 (my computer IP) to 172.16.126.255 (which is nothing) Src/Dst_Port 137 137 ruleset_drop_packet

I must be missing a rule, but which one? 

[Terrance]

UPDATE 3:

Connection between 2 Offices work fine. Now I'm in need of redirecting all http and ftp traffic through WAN1 and rest of traffic through DMZ. I'm trying to configure another Routing table and Routing rule but no luck. Any ideas will be apreciated.

[danilovav]

Your schema seems complicated - as i can see, you have two routers in each office

Please make an image with your schema

Also, please describe, does DFL in office A has route to network B thru Cisco? Which DFL interface Cisco is connected? DMZ?

Generally, all policy based routing is making by alternative routing table + PBR rule

Also, if necessary to route some network over IPsec, it should be included into IPsec ACL

[Terrance]

That's for the reply, let's face it from the begining:

we have 2 offices connected by a VPN bought by the company and configured by our ISP (we have this for a long time ago, before we could make VPNs with firewalls) and we are using them. We had to buy a DFL 800 because we needed to connect to an external application through a IPSec channel. That is working fine but the company that provides us the application only gives us 1 IP public address to connect. We connect to the application through and IP address (i'll give the details later).

So in the office B we had to put another DFL 210 to connect through Tunnel to the DFL 800 so we can use the application also in Office B, so both offices connect to the only one public IP of the application.

OFFICE A

Server A
 - Lan1: IP=ServerLan1
 - Lan2: IP=ServerLan2 GW=CiscoOfficeA_IP

Cisco Office A
 IP=CiscoOfficeA_IP

DFL 210
 Lan: IP=DFL_Lan_IP
 DMZ: IP=DMZ_IP GW=CiscoOfficeA_IP
 Wan: IP=WanIP GW=Router_IP
 

OFFICE B

Server B
 Lan1: IP=ServerLan1
 Lan2: IP=ServerLan2 GW=CiscoOfficeB_IP

I'm sending you all raw screenshots from DFL 210.

Now it is not working. It i get clients to see internet and lan, they can't connet to external application. If I configure it for internet and external application, they can't see lan.

I hope you can throw some light here.

[Terrance]

LAST UPDATE

Current state is:

 - Communication between offices work sweet
 - Internet through firewall (where users have to login) works perfect
 - External application through tunnel from Office A to Office B does not work.

I'm preparing a good documentation more understandable. I'll send you the last working backup so you can figure this out.