I have a vpn configured from a vendor that sits behind the firewall, all internal traffic connect to cisco 2950 switches and those connect to a cisco 2811 router. The vendor wants all traffic going to 10.x.x.x ( the vpn internal interface ) to be able to reach the external ip 172.x.x.x and its subnet. What I believe I need to do is create an static ip route. I am not sure and how to configure that

Sorry but it's still really unclear what you are trying to do.

When you say you need to send traffic going to 10.x.x.x to two external IPs what exactly do you mean.

Do you mean you need to NAT the 10.x.x.x IPs to 172.x.x.x IPs or something else ?

If you could draw a quick diagram and tell us  exactly what you want ie.

what are the source IPs, what are the destination IPs, what do you want to happen and where ?

Jon

No We recieved a router configured for a vendor thats has an external public ip and an internal ip. This is the vpn that sits on the DMZ and the DMZ connects to the firewall. All of the clients now can ping the internal ip of the vpn cause the vpn is connected to the internal switch. However this vendor says i have to route traffic to his data center. And as of right now I cant ping his data center from the internal network. I am guessing I have to route traffic on my internal router. The firewall with do a 1:1 NAT to the public ip of the vpn interface. How can I route traffic put to the datacenter?

You will need a route or routes on your internal router for the DC subnets pointing to the firewall inside interface.

And then on your firewall you will also need a route or routes for the DC subnets pointing to the internal IP of the VPN device.

Jon

how would ios commands look for that?

is that a static ip route command?  For example the outside datacenter I have to route to is 192.168.2.x 255.255.255.0 

my internal firewall interface is 10.0.0.58

the internal interface of the vpn is 10.0.0.243

we have someone managing our firewall so I can have them do that. But if I can add the routes on my internal router that would be great. I just dont want to add something to the router and take it totally down

One other point.

Before you add that route I would have assumed that you had a default route on your router pointing to the inside interface of your firewall for internet traffic.

If you do then you do not need to add the specific route on your router as the default route would take care of that traffic.

You would probably still need a route added to the firewall though.

Jon

For your router it would be -

ip route 192.168.2.0 255.255.255.0 10.0.0.58

and then all traffic sent to any 192.168.2.x IP would be sent to the firewall.

What is a little unclear is that depending on the subnet mask the internal IP of the firewall and the internal IP of the VPN could be in the same IP subnet.

It depends on the subnet mask used but are you sure that to get to the VPN device you have to go via the inside interface of the firewall ?

If you are then the above route should do the trick.

Jon

thank you I will do this monday and follow back with you

I found out what I need is a route to by pass the firewall

ip route 192.168.2.0 255.255.255.0 10.0.0.58 ( was the route I was going to use )

How would route this traffic to bypass 10.0.0.58

Well that's what I was asking in my last post ie. the internal VPN IP seemed to be on the same IP subnet as your firewall but I couldn't say for sure because you didn't give the subnet masks with the IP addresses.

If it is on the same IP subnet them the route would be -

ip route 192.168.2.0 255.255.255.0 10.0.0.243

but that only works if the VPN device is on the same IP subnet.

Bear in mind also that whenever someone says "bypass the firewall" that should make you stop and think as to whether that is what you want to do.

Your firewall is there for a good reason and from my experience some vendors will happily tell you to do this just to get their connectivity working with little regard for how it affects your security.

Jon

ok that worked, I added the route in.  I also added another route to

172.16.24.0 255.255.248.0 10.0.0.243  and I cant reach their nextwork still. My vendor told me to check the mask of the router. How do I do that? and how could I make this work?

If you do a traceroute from a client that needs to connect to the DC then what does it show ?

It won't work all the way but if the last hop is the VPN IP ie. 10.0.0.243 then your vendor needs to get their VPN working properly.

Again bypassing the firewall is not a good idea and there should be no need to do it ie. if your firewall supported it putting the VPN device on a DMZ would be far better.

Jon

if I do a tracert on 172.16.28.2 it stops at the 10.0.0.253 which is my router.

Our subnet is 255.255.255.0  the subnet for the 172 address is 255.255.248.0

He is telling me I have to make a change on my router. I don't know what to do