Linux route to different subnet

linuxroutingsubnetvpn

Bit confused over how to handle a likely simple routing issue.

I VPN into my Cisco ASA on 10.1.x.x subnet. Now, I would like to not only interact with private 10.1.x.x, but also with dmz on 172.16.x.x.

In a TAC session Cisco rep confirmed that traffic is allowed for my VPN user on both subnets; he said the issue is that while traffic is flowing from 10.1.x.x to 172.16.x.x just fine, traffic is not passing back from 172 to 10; therefore a routing issue on the target server.

On a Linux system (CentOS), how would one add a route so that traffic initiated from say, 10.1.50.1 to 172.16.50.1 (the default gw and primary server nic) can flow back and forth?

While I like experimenting I'd prefer not to butcher the route and have customers complain that their websites are not loading 😉

Example setup:
eth0 is 172.16.50.1 and has gateway of 172.16.1.1 with mask 255.255.0.0
eth1 is 10.1.50.1 with mask 255.255.0.0
VPN user IP is in the 10.1 subnet, e.g. 10.1.200.1

Thanks for pointers!

Best Answer

The question was how to route to a different subnet on Linux. I explained in detail the situation, general replies without specifics were given.

I hacked it out on a dev server:

route add -net 10.1.200.0 (VPN ip pool) netmask 255.255.255.0 gw 172.16.1.1

and then applied to production. Works a charm and, to boot, conserves a host that would have otherwise counted against ASA base license limit of 10 hosts -- i.e. when ssh'ing into 10.1.50.1 host count increased by 1 since VPN user is considered "outside" the ASA, but when ssh'ing into the same machine on 172.16.50.1, host count remains the same since this interface has already consumed a host by virtue of its constant in/out traffic with outside world.

Related Solutions

Openvpn for client/server in same subnet

Your default route metric value is lower than the 10.22.0.0/16 route and it gets routed to the default route. In resolving routes, if more than one route matches destination, the lower metric value route takes precedence.

Either push a default route through VPN or lower metric for 10.22.0.0/16 (increase metric for default route).

It should look like this:

Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
      0.0.0.0          0.0.0.0    192.168.1.254     192.168.1.23    1000
    10.22.0.0      255.255.0.0        10.22.8.1       10.22.8.10     30
    10.22.8.0    255.255.255.0         On-link        10.22.8.10    286
   10.22.8.10  255.255.255.255         On-link        10.22.8.10    286
  10.22.8.255  255.255.255.255         On-link        10.22.8.10    286

Iptables – Configure server to route all traffic through OpenVPN

You have these two rules which to permit your traffic. But these rules are probably not what you want.
or at least not only what you want.

-A INPUT -s 10.171.0.1 -j ACCEPT
-A FORWARD -s 10.171.0.1 -j ACCEPT

Your firewall rule set seems to be designed to be stateful, but these two rules are stateless. You either need to add two rules to handle the traffic in the other direction, or add some state matching.

Best Answer

Related Solutions

Openvpn for client/server in same subnet

Iptables – Configure server to route all traffic through OpenVPN

Related Topic