VPN tunnel with other default gateway

briant · ‎03-03-2005

We're trying to set up a vpn tunnel between a host site and a remote. The host site has a different router/connection that act as the default gateway and connection to the corporate host and internet. We have a seperate connection with a pix 501 on it. With this pix we're trying to connect a remote site. The connection will come up, and we can ping from the remote to the host side, but the host site computers can not ping out to the remote. We do not want to change the gateway on the computers at the host, and we don't have access to the host gateway to add routes. Can wa make this work?

ehirsel · ‎03-03-2005

You may have to use the proxyarp feature of the pix code to make it work. There are some caveats, with using it, but the idea is this:

When there are multiple gateways on the same subnet, which is what I believe that you have in your case, hosts connecting to one gateway (i.e., the PIX) will be nat'ed to an address on that subnet and when the reply is sent back, the PIX will issue the proxy arp to tell the sender to send the reply to it.

If the router is already doing proxyarp then this won't work. Also, if the subnet is small, the pix can do PAT as well as NAT, but if connections will originate from the host side to the remote, then you need to examine the size of the address space to insure that you don't run out of room.

The pix command to issue proxyarp is:

no sysopt noproxyarp if_name

and more info can be found here:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/s.htm#wp1026942

Let me know if this is of help.