2 remote access VPNs, one unable to get traffic across



  • This may be a bit of a doozy, or maybe I'm just missing something obvious.

    Short preface: I asked our sales department to buy a pfsense box for a client.  Instead, they ordered a Cisco ASA 5505.  I've been beating my head against the ASA 5505 for 2 days now without being able to accomplish what I want.  I posted my problem on the Cisco forums, and there are a hundred views with no replies.  Well, needing to get these VPNs setup for this customer 2 days ago, I'm completely fed up with the Cisco.

    I scrapped together a Pfsense box this evening from an old P4 PC and 3 PCI NICs and I've setup a lab environment at my house.  If all tests well, I'm bringing the Pfsense box to the customer's in the morning to get them functional, then we'll order a decent piece of hardware to run it on.

    Here's the setup:
    WAN: connected to cable modem, gets address via DHCP

    LAN: 192.168.1.1/24

    OPT1: 10.4.13.10/20  (the subnet ranges from 10.4.0.0 to 10.4.15.255) – here's the tricky part (I think) - none of the hosts connected to this network have (and by order of the client cannot be assigned) a default gateway or static routes.  The host that I have to test to is 10.4.0.1, which does in fact ping from both the ASA I was trying to configure and from OPT1 interface of Pfsense in my lab environment.

    Ok, so I have one basic OpenVPN setup for user's on the internet to access the 192.168.1.0/24 network. The VPN clients connecting here are issued in the 192.168.2.0/24 range.  This one connects and works fine, as the gateway for the 192.168.1.0/24 network is the pfsense box.

    I setup another OpenVPN server on a different port (1195 instead of 1194) and try to give it access to the 10.4.0.0/20 subnet.  The OpenVPN client connects, but I cannot ping 10.4.0.1/20which I have assigned on a PC connected to the same switch that the OPT1 interface is connected to.

    The only thing I can guess is that the PC at 10.4.0.1 is receiving the ping request, but sees it coming from 192.168.3.0/24 (the VPN pool issued when this VPN connects -- verified I am issued 192.168.3.100 when I connect). The host has no default gateway and 192.168.3.0/24 is not in it's subnet, so it doesn't know what to do with it.

    I'm guessing what I need to do is somehow NAT the traffic coming in on the WAN interface from 192.168.3.0/24 via the 10.4.13.10 address.  I can ping the 10.4.13.10 address when I connect to this VPN (which is more than I could do with trying to setup the ASA).  However, I'm not sure how to set this up, or maybe I'm on the wrong track.

    I hope you guys have an answer, because Cisco doesn't and I'm trying to get the company I work for to get away from Cisco and start buying boxes for Pfsense.  If I can win this battle I think I'll be well on my way.



  • Update, I started wireshark on the host at 10.4.0.1, connected to the VPN and got issued 192.168.3.6.  I started a continuous ping to 10.4.0.1.  The host is hearing the ping requests but the replies are never getting back to my vpn client at 192.168.3.6.



  • For what it's worth, we figured out a way to do it with the Cisco ASA 5505.  I was able to issue to the VPN users the IP addresses in the same subnet as the 10.4.0.0/20 network.  Then I had to add some very strange looking acl's allowing 10.4.0.0/20 to talk to 10.4.0.0/20.  That seems very strange to me, but it works.

    I'd still really like to know how to make this work with Pfsense, so if anyone has any ideas, or has questions about my setup please chime in.

    Thanks.


Log in to reply