[ previous ] [ next ] [ threads ]
 From:  Chris Buechler <cbuechler at gmail dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] VPN pass thru
 Date:  Mon, 9 May 2005 16:16:14 -0400
On 5/9/05, David Kitchens <spider at webweaver dot com> wrote:
> Ok gang, here is my situation, bad asci art included, lol
> Client has new fractional t1 to replace dsl circuit in MI office. There is
> an office in IL as well running a satellite connection. Before they got the
> frac t1, the MI office connection came in the dsl, pppoe, and lan side of
> that router was which was plugged into a Cisco 1711 Lan
> interface. The IL office has another Cisco 1711 with static IP on WAN. There
> is a VLAN setup on both Ciscos that runs a VPN between the offices. The only
> thing I have done is to replace the dsl router with a m0n0wall on the new
> frac t1 with a static WAN IP. I gave the LAN on m0n0 the same 3.254 address.
> I know that the IL cisco needs to be reconfigured with the new ip address of
> the frac t1 and there is a tech heading there now to do that for me. I have
> setup a m0n0wall ipsec vpn between the MI office and my home m0n0wall but I
> cannot access their internal network, I can only get to the monowall gui. I
> do have both cisco configs exported if they will be needed by someone to
> help. I am not a cisco pro, I can manage them fine and understand most of
> them but I am far from fluent with IOS. Both units run IOS 12.3. Initial
> question is what ports need forwarded to allow the vpn to function thru
> m0n0wall? Bad asci art next...
>    Illinois Cisco    -    internet    -    M0n0wall    -    Michigan Cisco
> WAN    209.x.x.85                        69.x.x.98         192.169..3.1
> LAN             
> Do I need static route in m0n0wall to the 192.168.2.x network? 

Yes.  Any network that isn't directly connected to a m0n0wall
interface or connected over VPN needs a static route.

> I cannot
> connect to their W2K server via terminal session from my home as my vpn is
> to the 3.x network, my network is 192.168.15.x. This is entirely different
> problem but one I found this morning. I really need to first get the VPN
> open thru m0n0wall so the 1.x and 2.x networks can see each other. The DHCP
> is run in IL on the cisco and in MI its on the W2K server for what thats
> worth. The client ultimately would like to have vpn ability from laptops for
> their sales people when they are on the raod. I hoped to do that on m0n0wall
> but since my vpn cant see the 2.x network I assume those later vpns will
> need to be configured on the cisco? Ugh!

Why is the Cisco there anyway?  If m0n0wall is going to be your
firewall, why have the router there at all?  You can do a site to site
tunnel between the Cisco and the m0n0wall.  Mobile user VPN gets more
difficult unless they're fine with using PPTP, since there are
limitations in m0n0wall's IPsec, and you can't get a free client for
it.  If it's a VPN capable router and you maintain SmartNet on it, you
can use the Cisco VPN client for mobile users to connect to the
network.  For mobile users I'd rather use the Cisco.

In order for you to be able to use the Cisco, I believe you'll need a
second public IP since inbound NAT won't work with IP protocols other
than TCP and UDP, and IPsec will require ESP.  You could 1:1 the Cisco
with the 2nd public IP.  Ideally you would also want that router on an
OPT interface of your m0n0wall, since terminating VPN clients on your
LAN is a bad practice if you have an option.